Professional Documents
Culture Documents
It Governance: David Norfolk
It Governance: David Norfolk
2nd edition
IT GOVERNANCE
Managing Information Technology for Business
David Norfolk
2nd Edition
IT GOVERNANCE
Managing Information Technology for Business
David Norfolk
London EC2A 3DU t: 020 7749 4748 f: 020 7729 6110 e: info@thorogoodpublishing.co.uk w: www.thorogoodpublishing.co.uk
Retention of Title
Susan Singleton
transmitted in any form or by any means, electronic, photocopying, recording or otherwise, without the prior permission of the publisher.
This Special Brieng is sold subject to the condition that it shall not, by way of trade or otherwise, be lent, re-sold, hired out or otherwise circulated without the publishers prior consent in any form of binding or cover other than in which it is published and without a similar condition including this condition being imposed upon the subsequent purchaser. No responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication can be accepted by the author or publisher.
Implementing E-procurement
Eric Evans and Maureen Reason
Special Brieng is available from the British Library. ISBN: 1-854187-45-7 978-185418745-1 Printed in Great Britain by Marston Digital
THE AUTHOR
The author
David Norfolk BSc, MBCS, CITP, CEng, LRPS, joined Bloor Research as a Senior Analyst for Development in 2007 and is now Practice Leader for Development and Governance. He has published research papers on Compuware Uniface, data integration, the Artisan Studio software engineering tool, Capability and Maturity, Enterprise Architecture and so on; and has spoken at many events (e.g. for the Intel software community). David is co-author, with Shirley Lacy, of a practitioner-focussed book on Conguration Management, Conguration Management: Expert Guidance for IT Service Managers and Practitioners, published by the BCS. He rst got interested in computers and programming quality in the 1970s, working in the Research School of Chemistry at the Australian National University. There he discovered that computers could deliver misleading answers, even when programmed by very clever people, and was taught to program in FORTRAN. He then worked in DBA and Operations Research for the Australian Public Service in Canberra. Returning to the UK in 1982, David worked for Bank of America and Swiss Bank Corporation, where he occupied positions in DBA, Systems Development Method and Standards, Internal Control, Network Management, Technology Risk and even Desktop Support. He was instrumental in introducing a formal Systems Development Process for the Bank of America Global Banking product in Croydon. In 1992, David became disillusioned with the way people issues were being handled in City IT and decided to start a new career as a professional writer and analyst. Since then he has written for many of the major computer magazines and various specialist titles around the world. He helped plan, document and photograph the CMMI Made Practical conference at the IoD, London, in 2005 and has written many industry white papers and research reports. He is past co-editor (and co-owner) of Application Development Advisor; is currently Executive Editor for Croners IT Policies and Procedures product; and was Associate Editor for the launch of Register Developer. David has an honours degree in Chemistry and is a Chartered IT Professional, has a somewhat rusty NetWare 5 CNE certication and is a full Member of the
iii
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
British Computer Society (he is on the committee of the Conguration Management Specialist Group). He has his own company, David Rhys Enterprises Ltd, which he runs from his home in Chippenham, where his spare moments (if any) are spent on semi-professional photography (he holds the Licentiate distinction from the Royal Photographic Society (LRPS) and is working on the Associateship), sailing and listening to music from classical through jazz to folk. Read Davids blog, The Norfolk Punt, at http://www.it-analysis.com/blogs/The_Norfolk_Punt/
iv
CONTENTS
Contents
VII
1 2
The response to apparent governance failures ......................................10 Legislation affecting IT governance ........................................................13 General legislation with IT governance implications ............................21
ORGANISATIONAL IMPACT
25
Culture ........................................................................................................26 Organisational maturity ............................................................................27 Roles and responsibilities .........................................................................32 Practical experience of governance ........................................................34
THE IMPACT ON IT
39
Enterprise Architecture ............................................................................41 IT Governance Standards .........................................................................42 IT service management .............................................................................44 Lifecycle systems development process..................................................51 Management reporting: Telling a true story ..........................................57 Practical IT governance tools ...................................................................59
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
IMPLEMENTING IT GOVERNANCE
65
CONCLUSIONS
77
APPENDIX
81
Resources....................................................................................................82
vi
M A N A G E M E N T O V E RV I E W: D R I V E R S F O R I T G O V E R N A N C E
vii
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
accurately know how many PCs they have and what programs run on them? How many organisations dont have an overall picture of exactly what is stored on their servers? When the directors of such companies accept responsibility for what their organisation does and how it does it, how can they do so with any condence at all? Such a state of affairs cannot be allowed to continue.
Denition of IT governance
IT Governance is that part of corporate governance in general which ensures that automated systems contribute effectively to the business goals of an organisation; that IT-related risk is adequately identied and managed (mitigated, transferred or accepted); and that automated information systems (including nancial reporting and audit systems) provide a true picture of the operation of the business.
viii
M A N A G E M E N T O V E RV I E W: D R I V E R S F O R I T G O V E R N A N C E
References
References in square brackets, e.g. [8th DirCons, web], refer to entries in the Resources appendix, at the end of this Report.
ix
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
According to George Cox when he was Director General of the Institute of Directors, in the Introduction to the directors guide to corporate governance [IOD, 2004], Modern capitalism the model to which virtually the whole world now aspires is totally dependent on high standards of governance. What he means by governance is the overall and rigorous supervision of company management so that business is done competently, with integrity and with due regard for the interests of all stakeholders. And this is important, not for altruistic reasons but because investors wouldnt buy shares in a company (or, rather, theyd insist in a considerable discount) if it wasnt run that way. As Alastair Sim, Director of Strategy and Marketing at SAS, points out in his Forward to the same work [op. cit.], staying competitive involves maintaining investor condence. The best way to do this is to ensure the transparency of a companys operations to investors and other stakeholders, by supplying them with appropriate and trustworthy information (with due regard to business condentiality) and this is one of the main concerns of corporate governance, along with the need to comply with applicable laws and regulations. In the UK, the law is dened by statute; statutory instruments, which implement Acts of Parliament and can materially affect the impact of a statute; and is further developed in the courts by precedent so determining exactly what the law says is not always straightforward and taking expert advice is often a good idea. We then follow a comply or explain approach to governance. What this means is that, for example, companies with a full London Stock Exchange listing have to state that they comply with, for instance, the Combined Code (the consolidated governance rules promulgated in June 1998) but can report exceptions in certain areas, where they must explain the reasons for their departure from the rules.
1 C O N T E X T: C O R P O R AT E G O V E R N A N C E
The Combined Code [Combined Code, web] places great emphasis on the need to manage risk, which is largely what the nancial reports made available to the various stakeholders are used for. As Peyman Mestchian, (Director, risk management practice, SAS UK) puts it the sensible company takes risks but not gambles. You must take a holistic and objective view of risk there is more to worry about than just nancial risk. Reputation risk, for example, is frequently overlooked until loss of reputation starts to affect the nancial bottom-line, when it is often too late to mitigate it (a reputation that took years to build can be lost in months). The Turnbull Report guidelines to governance for companies quoted on the UK stock exchange talk about the risk associated with market, credit, liquidity, technological, legal, health and safety, environmental, reputation and business probity issues, as well as nancial risk. However, some risk is good you cant avoid risk without forgoing the business opportunities associated with new kinds of customers, new technologies and new products. In fact, risk avoidance is in itself risky as it limits your opportunities for prot, and doing nothing is frequently the worst possible response to an emerging issue. What is important is that commensurate rewards are associated with the risks that you take, which implies that you have access to reliable information that lets you forecast the rewards and assess the risks with condence. Corporate governance ultimately depends on the good functioning of the Board of Directors and, increasingly, non-executive directors are asked to take responsibility for deviations from good governance. Quoting Kerrie Waring, international professional development manager at the IOD [op. cit.], A well functioning Board is key to the performance of companies and their capacity to attract capital. A well-established corporate governance framework should ensure that Boards monitor managerial performance effectively to achieve an equitable return for shareholders and uphold the values of fairness, transparency, accountability and honesty. You could say that the prime objective of IT governance is to help rather than hinder the Board in its governance efforts, as part of a dynamic partnership between business and technology. (Technologists enable business; business rewards technologists.) In many organisations, the IT function is seen as a bit of a loose cannon, subject to different standards, responsibilities and controls to the rest of the organisation; and, in the long term, this isnt going to be good for the careers of those employed by the IT function. Corporate governance is often talked about in the context of publicly quoted companies, because the shareholders in such companies form a wide and visible set of stakeholders, and because stock markets underlie most economies these
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
days. However, similar considerations also apply to private companies, of course, since although the stakeholders are different and the legal issues perhaps rather simpler, the owners of the company still need access to reliable information as to its operation. Regulations in the USA, say, are generally more draconian these days although even Sarbanes-Oxley seems to be less prescriptive and more in the European style than previous US regulations. This is actually an improvement, as it is harder to merely comply with the letter of the law if you can be assessed both on what you consider to be appropriate internal controls and also on the effectiveness of your implementation of these controls. International corporate governance rules are also changing, but rules worldwide seem to be generally moving in the same direction. Eventually, it is hoped that the mission statement of the International Accounting Standards Board (IASB) will come to fruition and we will have a single set of high quality, understandable and enforceable global accounting standards that require transparent and comparable information in general purpose nancial statements. Which brings us to Information Technology (IT), since large amounts of information are seldom stored, processed and retrieved manually these days. Your nancial reporting is only as good as the quality of the data reported. You must be able to audit the lifecycle of this data from collection through to destruction: you must be able to show where it comes from, who has access to it and that any changes are properly authorised. IT can facilitate this: there is an issue with the transparency of IT (few businessmen are completely comfortable with code analysis) but business policies can be rigorously enforced in unambiguous computer code and any risk of manual error mitigated. Well, up to a point garbage in = garbage out applies and IT systems only do what they are told to do. This is, of course, a governance issue: the policies embodied in the automated systems must be aligned with corporate policy, the instructions input to the IT systems must be the right instructions, and the accuracy of the translation of these instructions into code must be tested. IT is also increasingly a major source of risk in companies: IT facilitates worldwide access to internal systems, increasing the opportunity for fraud and data theft. The scope of impact of IT systems failure can be company-wide. IT projects are frequently an enabler for new business; in fact, IT systems are increasingly central to the operation of many companies.
1 C O N T E X T: C O R P O R AT E G O V E R N A N C E
Despite the importance of IT, according to the Standish Group Chaos Reports [Standish, web], over 80% of IT projects come in late, over budget or wrong (and frequently all three) over a quarter are cancelled before they are fully implemented.
The Board needs to recognise the risk factors affecting IT projects: very large projects, visible projects, projects crossing geographical or departmental boundaries, projects using new technology projects particularly dear to the Boards heart are all particularly risky. IT development failures or operational failures are equally matters of corporate governance. When Nick Leeson brought down Barings, there was a real failure of banking governance essentially, it simply isnt good practice to allow traders to make their own settlements. However, you can equally see this as partly an IT governance issue: The technology is available to enforce governance policies including separation of function. Positions and limits can be reported transparently to management. The calculation of settlements can be removed from the possibility of human error. What technology cant do, of course, is to inculcate common sense in the Board or counteract complacency or greed. Even so, increasingly, IT is being made accountable for technology-driven business outcomes and a technical failure that is allowed to affect the operation or reputation of a company is being seen as a failure of corporate governance as, of course, it is. The next chapter looks at the legal framework underlying governance generally in the context of IT governance specically.
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
It is a mistake to see IT Governance as purely a response to external regulatory pressures, as this engenders a fundamentally unsound attitude: governance becomes seen purely as a cost, a cost of doing business, over which you have no control. In fact, IT governance should be seen as a way in which the Board can ensure that IT resources are deployed and managed cost-effectively, in the pursuit of business strategy. The ultimate aim of IT governance is better, faster, cheaper business; that is, the assurance of business outcomes. Nevertheless, one aspect of this is the transparency that ensures that all the stakeholders in a business can satisfy themselves that the business is being carried out honestly and ethically, in the interests of the business (and community) as a whole, instead of the dysfunctional interests of particular parties. In the extreme, IT Governance is about mitigating the risk of internal IT-assisted fraud, probably a far greater potential disaster to a company than the high prole risk of external hacking. The positive benet from this transparency is that you can demonstrate the probity and reliability of your company to third parties: business partnerships will be easier to arrange (thus enabling greater automation of interbusiness processes or straight through processing) and raising investment capital (from shareholders) should be easier. Unfortunately, it must be apparent that corporate governance in general has had a bumpy ride at the end of the last century and the beginning of this one. The Bank of Credit and Commerce International survived conventional auditing for years, despite being run as a criminal enterprise (a fact apparently known
2 E X T E R N A L P R E S S U R E S : W H AT R E G U L AT I O N S ?
to many inside the banking industry, where it was sometimes referred to as the Bank of Crooks and Conmen International). It became apparent that many people held more non-executive directorships than they could manage if they were really overseeing the governance of the companies they held them with, and were treating them simply as a rewarding perk; and then Enron threatened to make the idea of corporate governance a joke. Since a lack of condence in the operational probity of commercial organisations threatens the very fabric of international commerce, governments rapidly began to investigate the issue of what proper internal control should be and then to tighten up regulatory legislation. This generally addressed corporate governance in the widest sense but, unavoidably, had implications for IT governance specically. Fortunately, most new legislation is no longer purely prescriptive (that is, it doesnt just specify a list of more-or-less arbitrary rules) but attempts to engender good practice and foster organisational maturity. A company that satises the spirit of Sarbanes-Oxley, for example, will be a better-managed company, able to measure the effectiveness with which it aligns IT objectives to business objectives, able to demonstrate the effectiveness and honesty of its nancial reporting and able to operate more cost-effectively as a result. Even so, there is a lot of new legislation surrounding nancial reporting and internal control generally, which the IT group must be aware of. It is always going to be more effective in the context of an evolving business and rapidly changing technology if IT governance is built into automated systems from the start. This means adopting a lifecycle development and maintenance process, which treats regulatory requirements as equal in importance to the other business requirements and implies that automated systems are tested against scenarios derived from applicable legislation. In general, the IT group can expect business stakeholders in an automated system to tell it what the regulatory requirements are, but the IT analysts must question what they are told and ensure that automated systems can satisfy non functional requirements for effective audit trails, access controls and systems resilience, which originate in governance-promoting legislation. In turn, this means that they must be aware of what legislation exists and what sort of controls it mandates, at least so they can have sensible conversations with business managers as to what is needed.
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
Report of the Committee on the Financial Aspects of Corporate Governance (Cadbury Report, 1992)
This began the process of formalising corporate governance in the UK and included a code of best practice. It was extended to cover, for example, corporate pay by the Greenbury Committee.
10
2 E X T E R N A L P R E S S U R E S : W H AT R E G U L AT I O N S ?
Organisation for Economic Co-operation and Development (OECD), Principles of Corporate Governance
These were rst published in 1999 and updated following a consultation process started in 2004, with representatives from, for example, business, trade unions and governments. The principles assert such things as the right of investors to nominate and elect company directors, question companies on their compensation policy and to ask questions of the auditors. The OECD also expects Boards to protect whistle-blowers by allowing them condential access to someone on the Board. The review process for the OECD Principles of corporate governance is described at [OECD, web].
Bank for International Settlements (BIS), Enhancing Corporate Governance in Banking Organisations
The Bank for International Settlements (BIS) is an international organisation that fosters international monetary and nancial cooperation and serves as a bank for central banks. The head ofce is in Basel, Switzerland and it has representative ofces in the Hong Kong Special Administrative Region of the Peoples Republic of China and in Mexico City. It was established in 1930 and is the worlds oldest international nancial organisation. The BIS report, Enhancing corporate governance in Banking Organisations (1999) [BIS, web], is a useful summary of the principles of corporate governance in 1999, referencing the Basel Committee etc. The BIS site is generally a useful source of information on banking governance.
Internal Control: Guidance for Directors on the Combined Code (Turnbull Report)
The Turnbull Report was issued in 1999 and adopting its recommendations [Turnbull, Web] is mandatory for companies quoted on the UK Stock Exchange, but the recommendations are far from prescriptive, although companies will
11
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
nd them sufciently challenging. They call for Audit Committees to adopt a broader role in corporate governance and reiterate that the Board should maintain an effective internal control regime. This implies accuracy and transparency in the IT reporting systems that must be a foundation of any such effort. The Financial Reporting Council reviewed Turnbull in July 2004, which affects accounting periods starting on or after 2006. This review found that the Turnbull guidance still generally achieves its intended effect, in the light of UK and international experience since 1999 although there are questions as to how far it has succeeded in promoting the actual embedding of governance in business processes. The Turnbull Review Group made only a small number of changes to the Turnbull Guidance, one being that the boards statement on internal control should conrm that necessary actions have been, or are being, taken to remedy any signicant failings or weaknesses in internal control. Turnbull at present is concerned with the spirit of corporate governance and isnt very prescriptive; it remains to be seen whether it becomes more prescriptive over time, along the lines of Sarbanes-Oxley (which is more prescriptive and longer than Turnbull, although less purely prescriptive than is usual with US regulations). The UK Auditing Practices Board revises its bulletins on The Combined Code on corporate governance: Requirements of Auditors under the Listing Rules of the Financial Services Authority [APB, web] in the light of any changes to Turnbull; Bulletin 2004/3 was replaced with Bulletin 2006/5 in September 2006, and part of this is superseded by Bulletin 2009.4, Developments in Corporate Governance Affecting the Responsibilities of Auditors of UK Companies, issued in December 2009 (see the list of Bulletins at [APB, web], for example).
12
2 E X T E R N A L P R E S S U R E S : W H AT R E G U L AT I O N S ?
He reported in 2003 with a set of suggested changes to the Combined Code, which was republished accordingly in that year. The Combined Code is now under the auspices of the Financial Reporting Council (FRC) and further changes can be expected as and when needed to ensure that it remains relevant in the face of changing business conditions and technologies.
13
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
Statutory registers
Each company is required to maintain and update as necessary a register of members and certain other statutory registers.
Accounting records
A company must keep adequate accounting records sufcient to show and explain the companys transactions, to disclose with reasonable adequacy the nancial position of the company at any time and to enable the directors to prepare accounts in accordance with the Act (s. 386).
Statutory accounts
Directors are required to use the accounting records to produce statutory accounts that full the legal requirements, and to prepare a directors report (and in some cases other reports) that give prescribed information. These must be signed to indicate that the directors accept responsibility. If an audit is compulsory or if an audit has been commissioned even though it is not compulsory, the accounts are then audited and the auditor will sign the audit report. In all cases, signed accounts must be sent to every company member and to Companies House. Obviously, IT systems must provide accurate information for these purposes.
Auditors rights
Auditors have a right of access at all times to the books, accounts and vouchers of the company. They also have the right to require from directors, other ofcers, employees and certain other persons such information and explanation as they think necessary for the performance of their duties. Any person who, in making any statement (orally or in writing) that purports to convey information or explanations to the auditors in the course of their audit, knowingly or recklessly makes such a statement that is misleading, false or deceptive in a material particular, commits an offence punishable by a ne or imprisonment for up to two years (or both). Failure to provide requisite information or explanations is also punishable, unless the person concerned can prove that it was not reasonably practicable to provide them (s. 501). Company management, and its directors in particular, should think in advance about the sort of information the auditors might need and ensure that systems are designed to provide it (or can be easily modied to provide it) as and when required. This policy then forms a non-functional requirement for systems
14
2 E X T E R N A L P R E S S U R E S : W H AT R E G U L AT I O N S ?
development in general which developers must be made aware of. Similarly, the provision of robust audit trails for nancial information becomes a general non-functional requirement. Further, the only practical way you can be sure that your policies concerning the provision of audited nancial information have actually been adopted in the automated systems that you use, is to implement recognised industry best practice processes for the development of automated systems and the operational management of the infrastructure that they run on such as the Dynamic Systems Development Method [DSDM, web] and the IT Infrastructure Library [ITIL, web] procedures. Beyond even this, a company might nd that process improvement (the ability to say what you are going to do, measure what you actually do and apply changes to the process that reduce any gap between aspiration and achievement) helps it to address regulatory criticisms in a costeffective way and to cope with changing circumstances. One recognised process improvement regime for IT organisations is CMMI (Capability Maturity Model Integration) from the Software Engineering Institute [CMMI, Web].
15
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
The director must meet the higher of the two requirements and it is interesting to note that this duty follows the duty set out in Section 214 of the Insolvency Act 1986. As a practical example, it means that a non-executive director who is a wellqualied and experienced solicitor must bring the care, skill and diligence expected of such a person to a very small private company that operates a sh and chip shop. On the other hand an unqualied and inexperienced director of a major public company must meet the standard expected of a director of that type in a company of that type. It is relatively easy to set out the required standard, but it must of course be translated into a myriad of individual circumstances, which may not be easy in practice. Judges have in the past (especially in the distant past) taken a very relaxed view about the standards expected, but the requirements have grown more demanding over the years, and especially in recent years. Directors are not expected to be experts in everything, which is an obvious impossibility. They are expected to use common sense, give a reasonable amount of time and effort to the company and to make suitable enquiries when necessary. They are expected to do what may reasonably be expected of a director of that type in a company of that type, and if they have particular skill, knowledge or training, they are expected to use it. This means, for example, that if a director is the Chief Technical Ofcer and a skilled programmer, he or she would have some responsibility for poor IT systems that do not implement company policy or which permit fraudulent practices.
16
2 E X T E R N A L P R E S S U R E S : W H AT R E G U L AT I O N S ?
companies; nor doing signicant business with US companies (in which case theyll need to supply the information their partner needs to satisfy SOX); nor likely to be taken over by, nor merge with, a US company. Generally, SOX involves implementing an internal control framework such as COSO (see above) and only a recognised control framework that is established by a body or group that has followed due process procedures, including the broad distribution of the framework for public comment, will be accepted. The essence of SOX compliance seems to be that you build a rod for your own back. You must develop a defensible approach to internal control for your business (and this can be criticised), and then you devise a defensible approach to internal control for your systems and then you must demonstrate that you are adhering to your own rules. In other words, its not simply a case of adhering to the rules, theres an effectiveness measure too (and this is more along the lines of European regulatory practice). The impact on IT is that it must facilitate this process, by building into its systems and processes facilities that provide the information needed by SOX, the audit trails needed to assure the integrity of this information, and so on. The IT Group must also be aware of Silver Bullet solutions: cosmetic quick xes for compliance, that are a constant maintenance overhead when the business changes [Faegre, web]. The two sections with most impact on IT are 302 and 404(a), which deal with the internal controls that should be in place to ensure the integrity of a companys nancial reporting and this will impact directly on the software that controls, transmits and calculates the data used to build the companys nancial reports.
Since August 29, 2002, Section 302 has made CEOs and CFOs commit to the accuracy of their companys quarterly and annual reports. They must state: 1. 2. That they have viewed the report. That to the best of their knowledge, the report contains no untrue statement of a material fact and does not omit any material fact that would cause any statements to be misleading. 3. That to the best of their knowledge, the nancial statements and other nancial information in the report fairly present, in all material aspects, the companys nancial position, results of operations and cash ows.
17
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
4.
That they accept responsibility for establishing and maintaining disclosure controls and procedures, and the report contains an evaluation of the effectiveness of these measures.
5.
That any major deciencies or material weaknesses in controls, and any control-related fraud, have been disclosed to the audit committee and external auditor.
6.
That the report discloses signicant changes affecting internal controls that have occurred since the last report, and whether corrective actions have been taken.
There are serious civil and criminal penalties for making untrue statements in the areas above, so C-level executives are placing considerable trust in the integrity of their IT systems and the people developing and supporting them. Which means that they will start taking an interest in the IT process and that this will likely become seen as an area C-level executives worldwide should be interested in even if SOX isnt involved.
SECTION 404(A)
If Section 302 might have onerous implications for executives, Section 404 sets out the rules in detail (and you should check the Securities Exchange Commission (SEC) website [SECSOX, web] for the latest details and implementation dates). In September 2003 the SEC said, We recognise that our denition of the term internal control over nancial reporting reected in the nal rules encompasses the subset of internal controls addressed in the COSO Report that pertains to nancial reporting objectives. The SEC expects to see an Internal Control report in a companys annual report that: states that company management is responsible for establishing and maintaining adequate internal control over nancial reporting for the company; identies the framework against which the effectiveness of this internal control is assessed by management; assesses the actual effectiveness of a companys internal controls in practice; at the latest nancial year-end; and states that the company auditor has checked out the managements assessment of its internal controls.
18
2 E X T E R N A L P R E S S U R E S : W H AT R E G U L AT I O N S ?
Not surprisingly, perhaps, in view of its general ndings, the Netegrity Security and Compliance Report [op. cit.] found that about a third of those that thought SOX was important (only 15% of the total, remember) werent spending any money on technology to facilitate compliance with Section 404; and a further third were spending less than 50,000. In the light of this, it will also be no surprise that almost 90% of them either werent sure that theyd manage to get their internal controls accredited against SOX, or thought it not likely. Leaving aside the question of penalties, is it possible that prospective partners in, investors in, or purchasers of a business, might think a business that couldnt satisfy SOX Section 404 represented an increased risk over investing in, say, a more compliant organisation? One would certainly think so.
19
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
Basel II had a signicant impact on banking processes and the IT systems that implement and support them largely in the area of credit risk proling and monitoring. The UK FSA issued a consultative paper Strengthening capital standards in January 2005 (consultation closed at the end of April 2005), putting forward the options for implementing CRD in the UK. Basel II is of great importance to banks, but probably wont affect companies in general very much. However, for nancial institutions, Basel II has some quite subtle implications. Especially as some nancial observers think that banking is all about the serious business of trying to evade the spirit if not the letter of the new accord, without being ambushed by the small print. Risk management is not particularly deterministic and the new rules may simply mean that risk is transferred to less (or differently) regulated subsidiaries. This could certainly result in some challenges for the IT group a need for rapid changes to nancial systems as risk arbitrage opportunities arise and disappear. This will be an environment not especially friendly to IT governance (higher levels of capability/maturity may not be particularly appropriate, for example) but business needs must rule and IT risk must still be managed (look what happened to Barings when controls were relaxed for a new business environment and a dealer was able to make his own settlements). As predicted in the rst edition of this report, issues with Basel II in practice resulted in development of what is generally being called Basel III, which the G20 is talking about nalising in 2011 and implementing in 2012. This is undoubtedly being driven by the near collapse of the banking system in recent years and is likely to attempt to regulate denitions of tier 1 capital (which constitutes the most commonly cited nancial strength metric for a bank) and necessary capital buffers, allowable leverage ratios, measures to limit counterparty credit risk and short/medium term liquidity ratios. However, some banks are resisting more regulation as it might impede their ability to function (although some might see that as no bad thing) and in Sept 2010, the FT reported German banks try to fend off Basel III [FT, Web]. The implication for IT organisations in the Financial Services and Banking industry is that the regulations that their systems will have to enforce (and the degree to which they will be enforced in practice) are by no means dened yet. This is a lesson for IT generally: automated systems must be dened so as to support whatever regulations are in force (this is a denite requirement to analyse even if a systems sponsors sometimes forget to mention this) but they must be particularly exible agile in this area as regulations are never set in stone and can move rapidly up senior managements agenda in response to particular crises or scandals.
20
2 E X T E R N A L P R E S S U R E S : W H AT R E G U L AT I O N S ?
21
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
some legitimate products. However, it is illegal and the activities of organisations such as the Business Software Alliance [BSA, web] or FAST (the Federation Against Software Theft) [FAST, web]) makes even unintentional use of unlicensed software unacceptably risky. In January 2004, The Federation reinforced its use of criminal proceedings to crack down on the misuse of software under s.109 of the Copyright, Designs and Patent Act 1988. Companies have been prosecuted even while in the process of addressing their licensing issues, and the interruption to business (from conscated computers etc.) and loss of reputation, may be a bigger problem than the ne. Health services and pharmaceutical regulations such as, for example, the US Health Insurance Portability and Accountability Act of 1996 [HIPAA, web], and various pharmaceutical industry regulations worldwide. The pharmaceutical industry is particularly highly regulated. Telecommunications regulations such as the Regulation of Investigatory Powers Act (RIPA) [RIPA, web]. This impacts the interception of electronic communications and the use of encryption technology. The Health and Safety at Work Act in the UK [HAS, web]. This applies to workers in IT just as much as anywhere else. It isnt perhaps an IT governance issue, exactly, but it is important to remember that IT workers are not exempt from Health and Safety issues and some of these (the impact of computer monitors on eyesight and Repetitive Strain Injury (RSI) from keyboard use, for example) are particularly related to computer use. The WEEE Recycling Directive [WEEE, web]. This probably wont impact end-users of IT much, but it may impact Operations, as most electronic equipment must now be recycled when it is disposed of (luckily, the vendor probably has to arrange this). The Disability Act, 1995 [Disability, web]. Again, like Health and Safety, IT organisations are not exempt. In particularly, web sites must be designed to facilitate access by the differently abled. The key standard in this area is probably the Web Content Accessibility Guidelines 1.0 (1999; work continues on these and a Working Draft 2.0 was produced in 2003), created by the Web Accessibility Initiative of the W3C [WCAG, web]. Anti-Money Laundering legislation, which (in the UK) is embodied in several pieces of primary legislation: the Criminal Justice Act 1988
22
2 E X T E R N A L P R E S S U R E S : W H AT R E G U L AT I O N S ?
(as amended), the Drug Trafcking Act 1994 and the Terrorism Act 2000 (as amended). This largely, although not exclusively, affects banking and nancial organisations, which must make Suspicious Transaction Reports (STRs), if money laundering is suspected, to either the law enforcement authorities or to the relevant Money Laundering Reporting Ofcer (MLRO). Obviously, automated nancial processing systems may have to recognise suspicious transactions and this may impact IT systems design; there is also a possibility that STR processing may appear to conict with the requirements of the Data Protection Act (since tipping off the subject of an STR is illegal) and this may also have an impact on IT systems design or operation [STR-DPA, web]. Anti-Money Laundering legislation introduces its own risks too what should a bank do if it nds that its best and most protable customers are probably money launderers but it cant really afford to lose their business? Publications such as Gees IT Policies and Procedures [ITPP, 2004] attempt to guide subscribers on the current state of such legislation and are regularly updated, but you should always take professional advice as to the exact implications of legislation, if it affects you specically. It is perhaps not directly a part of IT Governance per se but it is sometimes worth remembering that its a very good idea to avoid expensive court cases wherever possible (investigate alternative dispute resolution) and, in particular, to avoid becoming a test case for new regulations. It is indeed possible that regulatory compliance may be implemented in the software driving the business but be very careful about this. Ultimately, the effect of regulatory law and its associated enabling legislation is what a court decides it is, not what seems reasonable to technically competent lay-readers of legal material. Even an expert legal opinion is not binding on a future court. In the next chapter we look at the impact of IT governance on the organisation in general.
23
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
Culture
Good IT governance doesnt exist in a vacuum. However experienced your IT staff are, and however good the practices they follow, you dont have good IT governance unless these practices are institutionalised as part of a formal process that is regularly assessed and updated in the light of changes to the business or technology. If you just do it right, because thats how we do things, even if you are successful, how will you convince the auditors or regulators that you werent successful purely through luck and that you will continue to do things right? Well, youll have to conduct a review for them (or give them access to conduct their own review) that lets them discover all your critical processes and determine that they are properly controlled. This will be expensive, especially if you delegate it to an external party and youll have to do it all over again if the business, the technology or even the interested party changes. This is not an efcient use of resources and you can hardly claim to have implemented good governance if it is based on such an ad-hoc set of processes. Especially if you also consider the fact that time and resource pressures applied to a process that, essentially, repeats the same redundant evaluations repeatedly, will result in omissions and supercial assessments. An organisation that wants to implement good IT governance must have a supportive culture behind this. This means a culture that institutionalises good practice processes in pursuit of clearly dened organisational goals, and encourages buy-in to these goals at all levels. However, you can imagine a company that employs the best (or most expensive) people taking the view that what kept programmers from reaching their full potentials were managers who tried to impose standards, expectations or restrictions (quoting from Larry Constantines description of the state of affairs at the ctional Nanomush, in Constantine on Peopleware [Constantine, 1995]). Such companies are fairly common in the software industry and they usually
26
3 O R G A N I S AT I O N A L I M PA C T
enforce any regulatory rules with draconian disciplinary procedures, once they have been bought to their attention. So, if youre caught using someone elses intellectual property in your IT systems, unlicensed, or you nd fraudsters using a back door into your systems put there so that programmers could x bugs faster, do you simply sack the person responsible for that bit of the system (if they are still working for you) and hope that the issue goes away? Of course, it doesnt the lawyers carry on seeking damages or whatever; youve lost the free spirits who built your code without wasting time on documenting what they did and the rest of your staff think youre victimising the unfortunate sacked programmers, who were only doing what their culture expected anyway. In this situation, you then start worrying about what other surprises await you, because if leaving programmers free to do their own thing has given you one problem, you have no means of assuring yourself that others havent taken similar risks. Typically, after one bad experience, you start mandating compliance with some source of best practice, telling your programmers to get it right or else which, since you are trying to change their culture, probably wont go down very well (you may lose the best of them and keep the dead wood that cant easily get a job elsewhere). Youll nd that you cant just mandate compliance with anything outside of a military organisation and, in fact, military management practices are usually fairly enlightened because even under military discipline the people at the sharp end can work around your mandates (and also because, possibly, battleeld soldiers have the ultimate sanction available against bad managers). Unless you are the sort of company that sets goals before taking action, that measures the impact of its actions relative to those goals and then changes what it is doing to reduce the gap between its aspirations and what it actually achieves, then attempts to achieve good IT governance are probably doomed to failure. This culture of measurement and continuous process improvement is largely what is meant by organisational maturity although in our ageist society, companies often prefer to aspire to being adaptive rather than mature.
Organisational maturity
As Constantine points out [op. cit.], Maturity is a central issue for the eld of software development. Methodologists are wondering how long it will take for software engineering to mature as a discipline, managers are concerned about the level of process maturity in the approaches to development used within
27
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
their organisations, and project leaders wonder about the maturity of the individuals whom they are called upon to lead. But its a concern in many more elds than just software development. Fireghting system failures may be fun and, in some organisations, you may be rewarded for the loyalty and dedication reghting at 03:00 am demonstrates even if youre responsible for the problem youre ghting (you probably delivered really fast and got rewarded for that too). However, most business users would prefer you to take a more mature approach and not put the problem there in the rst place (or, at least, observe its appearance and preemptively nip it in the bud). This concern for maturity is really driven by a desire for a quiet life, without surprises and embarrassments. Allegedly, the Software Engineering Institute at Carnegie Mellon started looking at capability and maturity in IT software development because someone at a party to celebrate the rst moon landing noticed that we could put a man on the moon but couldnt build software that worked reliably. It started to develop a Capability Maturity Model for Software that an organisation could use as a target to assess the maturity of its software delivery processes against. It then found that there was a need for other process maturity models and, to avoid the management issues of multiple assessments, came up with the Capability Maturity Model Integration (or Integrated, in older references) CMMI. CMMI is proving popular, both as a way of an organisation internally benchmarking its own ability to deliver and, perhaps unfortunately, as a marketing tool for organisations striving to distinguish themselves in a competitive marketplace. However, you dont have to have CMMI in order to be a mature organisation, its just a good framework to work within (and you do really need an external benchmark to manage your progress against). Passing a CMMI appraisal (actually, theres no pass in the certication sense, you just get appraised) doesnt guarantee good governance it may simply show that your lack of governance is deliberate and that your management should be aware of this (which is, actually, a good start). However, mostly, what you measure (and this does apply to process) you try to do well.
CMMI
We must stress that we are not really discussing formal CMMI process improvement initiatives here theyre a whole different topic and deserve a report in themselves. However, we are using CMMI as a framework within which to talk about the maturity necessary for good IT governance. It is a convenient way to categorise the levels of maturity in an IT organisation, but we must apologise
28
3 O R G A N I S AT I O N A L I M PA C T
to serious CMMI practitioners for taking a rather supercial view of the subject. You should also remember that although CMMI deals with more than just software development, it doesnt cover every aspect of an organisation, even if its levels could provide a convenient shorthand for describing maturity in areas where CMMI proper doesnt apply. For those seeking more information, refer to the CMMI, web address in Resources Appendix [CMMI, web]. CMMI is commonly seen as a ve-stage process, with organisations progressing through the stages in turn, although there is also a continuous representation, which allows an organisation to be at a different capability level in different process areas at the same time (and CMMI experts often nd this a more productive way to look at real organisations). The staged representation is easier to follow as a basis for discussion of maturity. The stages are: 5 The institutionalisation of continuous process improvement through proactive process measurement. 4 The use of quantitative process metrics, at the organisational level, to manage and improve the process. 3 2 1 The availability of managed process at an organisational level. The availability of managed process, at a project level. The adhoc application of process.
Level 1 doesnt mean that you have no process or that projects always fail or that nothing good happens a common misconception. However, at Level 1 any successes cant be guaranteed they may depend on particular people or circumstances and a way of working in one project that delivers success may be abandoned or, at least, not used somewhere else, simply because management doesnt recognise what it has. It is hard to see how you can claim any great degree of IT Governance at the equivalent of CMMI Level 1. Going from Level 1 to Level 2 can be quite onerous, because it involves recognising and documenting what you have and that often brings you up against the usual people issues as your IT mavens may feel that documenting what they do and sharing it with others diminishes their value in the organisation. At Level 2, you are starting to have a degree of IT Governance and, remember, that we are only using the CMMI Levels as a framework for describing maturity levels. You may effectively be at something corresponding to CMMI Level 2 as far as IT Governance is concerned, even if you arent formally implementing a CMMI initiative and havent undergone CMMI assessment (just dont claim to be at CMMI Level 2 unless you do undergo proper appraisal, undergo regular reappraisals and publish the appraisal class A, B or C and its scope).
29
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
CMMI Level 3 is probably as far as you absolutely need to go for IT Governance which is not to say that going further doesnt bring advantages and even better governance. However, at Level 3, you not only know what you have and know what you are doing with it, you are managing your IT resource at an organisational level and making basic measurements of the effectiveness of your management, which you can use to improve it. At what corresponds to Capability/Maturity Level 3, which includes Level 2, you should have, at least: Asset management in place, including management of information, infrastructure and application assets. An organisation-wide security policy, based on risk management and effective identity management. Implemented a business continuity policy; complemented with service level management; incident, service impact and problem management; and effective capacity planning and provisioning. Effective conguration management in place. Information lifecycle management in place, ensuring that electronic business records are kept safely for as long as necessary and then disposed of reliably and securely. Managed processes for application lifecycle and operational management. It should be noted that CMMI is itself developing, partly to address gaming of appraisals by company marketing departments (which is why the scope of an appraisal should be available and why appraisals have a limited period of validity). Interesting developments are new CMMI constellations, CMMI-SVC for developing services rather than software and CMMI-ACQ for companies acquiring automation rather than developing it. There is also the issue that maturity and good process isnt an end in itself but a means for delivering business outcomes and an organisation which is generally of high maturity may fail to deliver because just one key part of the organisation is at a low maturity level and fails to control risk. Process-driven development and operations are fundamental to what we think of as IT governance and will be treated in more detail in the next chapter. A typical but vendor-independent development process is the Dynamic Systems Development Method [DSDM, web] and a widely accepted infrastructure/ operations management process is documented in ITIL, originally sponsored by a UK Government computing organisation [ITIL, web].
30
3 O R G A N I S AT I O N A L I M PA C T
Higher levels of maturity will fundamentally alter the nature of an organisation the comparison is with the way that lean engineering revolutionised the Japanese car industry and enabled it to compete with and displace the traditional US motor industry in world markets. However, higher levels of maturity may not suit some organisations or, in particular, emerging industries and technologies, where things may be changing too fast for a stable process to be feasible (although if you are implementing CMMI properly and fully understand its concepts, we suspect that there is room for argument here). Whatever, it is probably true that you cant properly appreciate the benets, and the consequences or implications, of higher maturity levels until you are at Level 2 or 3. At the equivalent of Level 4, you become a metrics-focused organisation, managing quantitatively through metrics which doesnt mean that you dont measure capability and improvement, where you can, at lower levels. You dont just measure what is easy to measure, you potentially measure everything, on the grounds that you cant manage what you cant measure. There is an overhead associated with this measurement activity, however, so you will concentrate, in practice, on a few carefully-chosen key performance metrics (which may be derived from several low-level metrics) and measurement automation is vital (you really need to build the necessary instrumentation into the design of your systems rather than try to bolt it on afterwards). As technology improves, business analytics and optimisation technology [BloorAnalytics, Web] can build good governance into the framework of automated business systems. With the benet of the metrics you collect, you can focus on areas for improvement and conrm that your improvements are, in fact, working. At the equivalent of Level 5, you are into continuous process improvement and the occult powers of warrior-monks in Chinese martial arts movies start to seem normal. Your metrics become predictive and you start to improve processes in anticipation of emerging problems. At this level, IT Governance is so innate that you probably dont even need to think about it but there arent many true Level 5 organisations in the world and many that have been assessed at CMMI Level 5 have only done so with a limited scope. The point of this section is not to say that you must gain CMMI Assessment at Level 3 in order to implement good IT governance but that you must have a certain level of maturity across the whole organisation in order to implement IT governance effectively. And CMMI Level 3 gives you some idea of the minimum maturity level you will need in practice. If you implement IT governance at lower maturity levels you will be lucky if it achieves what you hope it will. You will likely end up with islands of good governance and may nd that embarrassing
31
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
areas arent covered. You will be unable to reliably measure either the effectiveness or the overheads of your governance initiatives, and you will be unable to manage the overall alignment of your IT Governance efforts with the requirements of corporate governance as a whole.
32
3 O R G A N I S AT I O N A L I M PA C T
all productive development for a reasonably long period and continuing with critical service packs that break existing, but insecure, working, applications) give some idea of the issues with this approach. However, although it must be involved, the IT group is not best placed to design and enforce governance for three main reasons: 1. IT people are technology focused, and many governance issues are at least partly to do with people and should focus on delivering business outcomes. 2. IT people are innovation-oriented, and frequently tried and tested is best for good governance. 3. IT people are rewarded for delivery, which may conict with the need to get governance right. The IT Group can well supply some of the requirements for IT governance, in the areas of business continuity and conguration management, for example, but there is a risk that its view of Governance will only reect the technical issues. Being able to restore a working and up-to-date version of a database in the event of a contingency is very much a part of IT governance but it is not sufcient, as if the people using the database cant log into it, or dont have desks to sit at or phones on which to call their customers, then the success of the IT governance of the database wont matter much in the context of overall business continuity. On the other hand, even though business users are ultimately the stakeholders and paymasters for IT governance, they dont have the technical expertise needed to specify IT governance at the technical level. The business users may well be the source of the specications for IT governance embodied in or implied by the legislatory or regulatory environment, but, again, they are likely to specify only part of the solution. It is quite common to think that a conventional Audit Group will look after IT Governance but, in reality, it is almost the worst choice of all for this function. Auditors often specialise (although this is changing) in after-the-fact criticism (which is too late, impacts on delivery and is expensive to address), dont generally have the up-to-date technical knowledge to control technologists and dont have the culture to become part of the development team. We once remember noticing that the information archiving in a bank was rather out of control everything was copied to tape, often several times after a series of changes and, while everything was in an archive, these were growing uncontrollably and it was doubtful whether the bank could answer ad-hoc enquires from archives with any
33
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
condence. So we asked the auditors what the archive requirements were and they wouldnt budge from saying archive everything forever, which was hardly very helpful. However, the auditors may well be the ultimate backstop, the people who conrm that you have, in fact, addressed the letter of the laws and regulations. Nevertheless, its really too expensive to nd out that you havent at this stage. One solution to IT governance is setting up an Internal Control Group, reporting to the Board separately, probably through a Governance Committee. The responsibility of such a group is to take a holistic view of governance, reporting at a business service level. However, it is also responsible for assisting or mentoring developers and IT operations staff and should be both technically and socially able to relate to the IT Group in an early stage of its projects. The Internal Control Group is responsible for championing the governance point of view in IT, but it must be seen as a service function a source of help and comfort, and assurance that a technically successful project wont be criticised after implementation over governance issues the IT Group was hardly aware of. This is largely a social matter, but an Internal Control Group can hardly be expected to be respected, or even accepted, by the technologists in the IT Group unless its members have experience and technical knowledge that the IT Group respects and unless the Internal Control Group acts as mentors instead of policemen or technology superstars.
34
3 O R G A N I S AT I O N A L I M PA C T
delivered to the client, and the more we can demonstrate that this is a value and the more we can get the client to nd it with us, the more we can help him its a mutual benet. Theres a whole range of layers around how we do this, Whitehand continues, ranging from the old-fashioned SLA (Service Level Agreement), where we measure the uptime of every component in a service through to the total availability of a business process. It depends on the maturity of the client, how theyre managed, how far we can take them on the journey towards IT governance or towards business governance, which is what really matters. Metrics, Whitehand says, are very important, but theyre not the be all and end all. You need to understand the value of the metrics. CSC is adopting a balanced scorecard approach (which balances hard nancial bottom-line metrics against softer metrics relating to intangible assets such as morale and customer satisfaction [BalScore, web]. Other participants at the roundtable, Thomas Mendel (principle analyst, Forrester Research) and Dr Jim White (Business Technologist, Managed Objects) conrmed that there were signs of a resurgence of interest in balanced scorecard since their rst popularity almost a decade ago [Kaplan and Norton, 1992] [Kaplan and Norton, 1996]. This may be due to the availability of better automated metrics, so the choice of metric is driven by business need, not the accessibility of the metric. According to Whitehand, balanced scorecard helps you easily identify management disconnects and gaps in your metrics, but you need to introduce it gradually, you cant simply take three years off to deliver a big bang balanced scorecard solution. The developers of balanced scorecard, Dr Robert Kaplan and Dr David Norton working at the Harvard Business School, said some 15 years ago: The balanced scorecard retains traditional nancial measures. But nancial measures tell the story of past events, an adequate story for industrial age companies for which investments in long-term capabilities and customer relationships were not critical for success. These nancial measures are inadequate, however, for guiding and evaluating the journey that information age companies must make to create future value through investment in customers, suppliers, employees, processes, technology, and innovation. What this implies, of course, is that IT Governance based entirely on cost control, while comparatively easy to formulate and implement, will not deliver governance of all those aspects of an organisation that are required for success today.
35
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
And as an aside, in CSCs world of outsourcing, the contract services are based in SLAs (we will do something for you on this day, or our networks will be up, or someone will answer the phone in a given timeframe and resolve your problem on the phone in a given timeframe too), so performance against SLA may be an important metric for governance. Of course, the IT Department should be relating to outside customers anyway, but one speaker didnt think that they usually do; although those that do see it as part of the business are probably the most productive and forward-looking companies. Nevertheless, there are potential issues with making the IT Group part of the business. In a previous life, Whitehand says, I actually ran internal IT services for a company and I did engender a kind of governance board to understand what my clients wanted inside the company. But it turned into the very thing youre talking about, Tom [Thomas Mendel], which is were going to control you. Although Whitehand believes in understanding quite as much as you can about what the client wants and what the business wants, because the customer is the nal arbiter of where youre going, he doesnt think that business managers should try to control technologists directly. So he cancelled that governance meeting, because it was of non-value to the company it just turned into lets stop them spending money and doing stuff [although] it was probably a bit highhanded of me at the time. Business managers do not generally know enough about technology (at the cutting edge, especially) to effectively manage technologists who may know more about technology and its implications than they do. Similarly, we have seen a business-focused IT group that thought that it knew more about the business process than the business itself. It probably did, at the start, but it couldnt maintain this knowledge of the business cutting-edge without actually being involved in the business day-to-day (perhaps this is less true in a user-focused development environment such as eXtreme Programming). Finally, Mendel made an illuminating remark to the table generally: If you ask IT directors and CIOs about governance you may be asking the wrong people, he said, because from what we can tell all the initiatives around managing the risk of IT delivery, making your IT processes produce business value, those kind of things, theyre all not driven by IT, not in the beginning anyway, theyre driven by the end users, by the Board, so the understanding of what governance means to IT will come as a second step. Were in a rst phase, he continues, where the business is starting to demand from IT an understanding of what products
36
3 O R G A N I S AT I O N A L I M PA C T
were producing and how these compare with those from external markets, rather than just internal service delivery. Now, perhaps, is the opportunity for a mature IT department to move ahead of the curve and start to pre-emptively deliver the style of IT governance the Board of the company is coming to expect. In the next chapter we look at the impact of IT governance on the IT department specically.
37
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
IT governance will have an impact on IT there will be some things that IT staff want to do that they wont be able to do after you implement IT governance and new initiatives that theyll have to buy into. If implementing IT governance has no effect on the way you work, one wonders why youre bothering. This impact must be managed, as must the fear that IT governance will get in the way of productivity and increase bureaucracy for its own sake. It may be worthwhile pointing out that unproductive IT wasting resources often by building the wrong things and engaging in rework until you get it right is itself a symptom of poor IT governance. You could do this in IT governance workshops, as part of the introduction of IT Governance. The point to stress is that IT governance is intended to produce a positive business benet although you may have to invest up front in order to achieve a longer term benet, always try to identify and publicise short-term benets on the way. It is usually best to catalyze the implementation of IT governance with an obvious short-term benet, such as the prospect of regulatory nes (or worse) if you dont get your house in order. You dont have to do it all at once if you take a process-driven approach to IT Governance. You can put in place processes to address immediate problems (as long as you think a bit about the big picture context), measure the consequences of this and use these metrics to justify further investment or, perhaps, to change the process youre adopting. It is best to get it right rst time, but it makes no
40
4 T H E I M PA C T O N I T
sense to persist with something that isnt working (although you should learn from the experience for the next time). Promoting IT Governance should be made part of an employees conditions of employment and the promotion of good governance recognised in pay awards and staff appraisals. A necessary (but not sufcient) requirement for good IT governance is the availability of a proper security policy and adherence to this, and promotion of good governance generally, should be mentioned in standard employment contracts and, more importantly, made part of staff induction training. So, to summarise, the most important effect on the IT Group is that it will have to become a process-oriented organisation with a measurement culture it should make fact-based decisions, not decisions based on gut feelings and outdated rules of thumb. The idea is that the IT Group will be able to say what it is going to do about IT issues (including things like compliance, reliable business service delivery and other governance issues), evaluate its success in doing it and change what it does next in order to reduce the gap between aspiration and achievement. This is the essence of good governance. An organisation may nd the adoption of an industry-accepted Code of Practice such as that from the British Computer Society [BCSCode, web] is helpful in inculcating a good IT Governance culture in the IT group.
Enterprise Architecture
Enterprise architecture [BloorEA, web] or EA, is one of those terms which means many things to many different people. However, in essence it should represent the intersection between business strategy and policy and the IT strategies and policies which implement it. This makes it central to IT Governance if you see IT Governance, as we do, as a subset of corporate governance generally. EA brings different views of an organisations automated systems the business view, the IT view, and a view of what the data in the system actually means, the semantics into one place. This puts business automation into business ownership and helps you build the right automation as well as building the automation right; which is part of the essence of good IT governance. EA also helps change impact analysis, delivering no surprises to both business and IT, another aspect of good governance, and it helps you manage the linking of technology systems with partners and customers. In general, EA helps you
41
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
to manage a well-governed transition from where your automated systems are now to where youd like them to be without losing the ability to do business effectively on the way.
IT Governance Standards
The ISO/IEC 38500:2008 IT Governance Framework
Good governance must be institutionalised in an organisation from top to bottom, so the place to start is at the very top, with senior management. A good way for the Board to demonstrate its commitment to good IT governance is to adopt an industry standard such as ISO/IEC 38500:2008 [ISO38500, web], which provides a ready-built framework to help board-level (CEO, COO, CIO etc.) senior management understand and meet its legal, regulatory and ethical obligations surrounding the use of IT in their organisation. This standard denes terms and principles and provides a governance model to support your organisations customised governance framework. It is based on responsibility, strategy, acquisition, performance, conformance and human behaviour principles that should guide management decision-making; and it provides 3 high-level IT governance objectives: 1. Assurance. Giving all its stakeholders condence in the organisations use of IT in a business context. 2. 3. Guidance. Helping directors to govern IT effectively. Objectivity. Providing an objective basis for evaluating corporate IT governance. Alison Holt, Chair of the IT Governance Working Group in ISO says: This standard is targeted at the Board of an organisation, to assist the Board in delivering the maximum value from IT and information assets across the organisation. [ISO38500PR, web] This underlines a key point: IT governance must not be seen just as a cost of doing business, it should be seen in a positive way, as delivering real value from ensuring that IT assets are being used effectively, innovatively and appropriately, without waste. Other enterprise architecture frameworks (such as TOGAF [TOGAF, web] or Zachman [Zachman, web], can also be useful, to help an organisation govern the way IT appears to the business.
42
4 T H E I M PA C T O N I T
An organisation will need to customise its own IT Governance framework but it should aim to write as little new organisation-specic material as possible and supplement principles and structures with links to industry initiatives and practical training courses in the governance-related initiatives it chooses to adopt. An organisations governance framework might cover, in a couple of dozen pages at most: A high level IT Mission Statement: values, aims, principles and accountability. IT Governance roles, responsibilities and reporting structures. Any Code of Practice the organisation expects its IT staff to follow and why. A list of the governance-related initiatives that the organisation has chosen to adopt and its objectives for these initiatives. These will provide the meat of IT Governance and might include ISO/IEC 38500, ITIL v3 and COBIT, for example, but their content need not be repeated. A list of specic laws and regulations the IT part of the organisation must comply with. This might include the UK Data Protection Act and the Regulation of Investigative Powers Act, for example.
COBIT
COBIT [COBIT, web] is an overall IT governance framework widely accepted in the IT industry and mappings from it to other standards/frameworks are
43
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
available (sponsored, for example, by the OGC [OGC, web] and the IT Governance Institute [ITGI, web]) and are becoming higher prole as they are generally recommended as a basis for Sarbanes-Oxley compliance. It provides a highlevel focus on what the business needs from IT and classies its objectives into four general domains: plan and organise; acquire and implement; deliver and support; monitor and evaluate.
COBIT has a long history; it was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992, in the context of the COSO (Committee of Sponsoring Organisations of the Treadway Commission) corporate internal control process. It was rst published in 1996 and Version 3 was made available online in 2003. The fourth edition introduced fairly fundamental changes at the end of 2005. It targets managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices that should help maximise the benet from IT by asking questions about its processes such as: is this important for our business objectives?, is it well performed?, who does it and who is accountable?, are both process and control formalised?.
IT service management
Business service management
The rst part of our working denition of IT governance (see Denition of IT governance in the Management overview) is that its that part of corporate governance in general which ensures that automated systems contribute effectively to the business goals of an organisation. Now, it probably isnt the only possible approach to IT governance, but if you want to implement IT Governance rmly in the context of corporate governance as a whole, it helps if IT takes a service-oriented approach (built on a Service Oriented Architecture or SOA). As David Chappel of Sonic Software says in the introduction of his work on the Enterprise Service Bus [ESB, 2004], An SOA [Service Oriented Architecture] provides a business analyst or integration architect with a broad abstract view of applications and integration components to be dealt with as highlevel services. He goes on to point out that an Enterprise service bus (ESB) ties
44
4 T H E I M PA C T O N I T
together applications and event-driven services in a loosely coupled way, which means that they can be treated independently, but still in the context of an overall business function. It is a fundamental thesis of this report that IT Governance is about IT in the service of the business, whether its about returning an ROI in the form of assistance to moneymaking business processes, or about the avoidance of waste (and IT without a business purpose is a waste of resources), or about the satisfying of business regulatory or compliance requirements. From this point of view, the service-oriented approach to IT simply makes effective, business-oriented governance easier although there are other technical reasons why SOA, and perhaps even ESB, will be important strategic directions for IT. However, this is a top-level, architectural view of the matter. Nevertheless, a very similar view is emerging bottom-up, from the (often neglected) IT operations world, in the form of Business Service Management (BSM), a term which Managed Objects [ManObj, web] claims to have invented but is now also used by BMC and HP. According to HP, its BSM solution (which is based on its well-established HP OpenView product range) provides CIOs, business process owners, and key application owners with a view of their business processes from a customer perspective [OpenView, Web]. This should enable them to maintain a clear understanding of the high-level health of their computer infrastructure and the applications on which the business processes depend certainly an aspect of IT governance. According to BMC Software [BSM, Web], Business Service Management (BSM) provides an incremental approach to understanding and meeting your specic business needs. With BSM, you can identify the best technology solution to support your business and make the most of your current investments. You can deliver faster, more comprehensive and consistent services, increase revenue opportunities, lower the cost of ownership and reduce the risk of unnecessary IT expenditures. BSM obviously addresses the rst part of our denition of IT Governance, to do with serving the business effectively, and goes on to deal with the middle part, the management and mitigation of IT risk. An important practical part of the BMC BSM picture is the Atrium Conguration Management Database (CMDB an ITIL term, see below [Atrium, Web]), which provides information sharing and centralised management across both BMC and third party solutions. BMC claims that Atrium provides a single source of truth for your IT environment, an important basis for effective, manageable
45
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
IT Governance (even if you dont choose to obtain it with Atrium, it is an issue you will have to address). BMC identies the following entry points to BSM: Service level management Incident and problem management Infrastructure and application management Service impact and event management Asset management and discovery Change and conguration management Capacity management and provisioning Identity management.
If you go back and compare these with the list of desirable processes in the previous section (under CMMI) you see a considerable overlap. You can come at IT governance top-down, from a process-oriented and process-improvement angle; or you can come at it bottom up, from best practice infrastructure procedures such as ITIL (see below). Business Service Management can provide a good framework for presenting an integrated IT governance policy to both IT operations staff and even operational staff in the business; whereas the process-oriented view can appeal to upper management and regulators. In reality, both views are complementary.
ITIL
Vendors usually promote Business Service Management but there should be a standards-based approach underlying it. This is usually ITIL, the IT Infrastructure Library [ITIL, Web], which was developed by the UK CCTA (Central Computer and Telecommunications Agency) in the late 1980s and is now owned by the UK Ofce of Government Commerce (the OGC ITIL is both a Registered and Community trade mark of the OGC) and adopted worldwide. The ITIL documentation has been revised during 2000 to ensure that it is consistent with, and forms part of a logical structure with, the BSI Management Overview (PD0005) from the British Standards Institute (BSI), BS15000-1 (Specication for service management) and BS15000-2 (Code of practice for service management). The British Standards Institutions Standard for IT Service Management (BS15000) supports ITIL and, unlike ITIL itself, is a standard that you can certify against.
46
4 T H E I M PA C T O N I T
ITIL is a library of books describing best practice taken from both the public and private sectors internationally, together with a qualications scheme, accredited training, and tools to assist with implementation and assessment. It now includes ITIL Live [ITILLive, web], which promises to make best practice more agile and interactive. ITIL certainly isnt limited to UK practice or to public services organisations, despite its ownership by an ofce of the UK government it is, in fact, a general framework for IT governance, suitable for small, medium or large organisations, which must be customised to the needs of any particular organisation. A whole philosophy of infrastructure management has grown up around ITIL and the environment needed to support it. A comprehensive ITIL FAQ is available on the Web [ITIL FAQ, Web] but organisations planning to implement IT Service Management might also want to read Planning to Implement Service Management, which explains the steps involved in implementing or improving IT service provision [PlanISM, 2002]. There is also an independent not-for-prot user group (including vendors) called the IT Service Management Forum or itSMF [itSMF, web], which claims to be a major inuence on, and contributor to, industry best practice and Standards worldwide, working in partnership with a wide range of governmental and standards bodies. To use ITIL you really need to buy the library; we cant cover it all here. However, we will provide an overview of its structure and scope, although this is not a denitive guide to ITIL, which is well-documented by the OGC. ITIL is all about best practice for well-governed IT service delivery; an important aspect of IT governance (but by no means all of it). Its emphasis is changing towards holistic service management, including business outcomes, and process improvement, although not every ITIL practitioner has caught up with the spirit of the latest version of ITIL yet. ITIL now covers: Service Strategy Service Design Service Transition Service Operation Continual Service Improvement
47
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
This provides a foundation for other processes such as Incident, Problem, Change and Release Management. It maintains a logical model of the IT infrastructure, stored in federated CMDBs (Conguration Management Databases) and built from conguration items (CIs). It identies, controls, manages and veries the version of each conguration item. Conguration management involves planning (in detail for 3-6 months ahead and in outline for 12 months past that); identication of CIs (ownership, and unique id, for example); control of CIs under change management review; status accounting and tracking; verication and audit of CIs. Conguration management, see [LacyNorfolk, 2010], is necessary (but not sufcient) for effective IT Governance.
This controls changes to CIs in the production environment and has to balance the need for systems improvement (driven by changing business or the discovery of defects) against the potential risk associated with making changes. Change Management shouldnt be limited to the live environment, although organisations often rely on project change processes to manage change within ongoing, developing, initiatives, although this can be risky if change to the testing environment is not managed, for example, how can you be sure that the environment you validate changes in corresponds to the live environment, which has consequent risks for live business service delivery. Change Management typically deals with raising and documenting a change request, assessing its impact, cost, benet and associated risk, obtaining and documenting change approval, managing the implementation of change, reviewing the change and closing off the request.
This is the holistic management of both the technical and the non-technical aspects of major or critical changes. It plans and oversees the successful roll-out of new and changed software and associated hardware and documentation across a distributed environment. Release management includes, but is rather more than, software control and distribution.
This is about detecting and recording incidents (events impacting service levels), classifying them, diagnosing the root cause of the incident and resolving it, with the aim of restoring normal service as soon as possible, with minimum disruption to the business.
48
4 T H E I M PA C T O N I T
This is similar to incident management, except that problems encompass the wider issues behind incidents. An important aspect of problem management is trend analysis and the proactive prevention of problems/incidents. Problem management is more-or-less the opposite of reghting. Problem management should supply the organisation with relevant management information reports.
This is the central point of contact with the IT Service Organisation for users experiencing problems. A good Service Desk can have a disproportionate effect on customer satisfaction. A good target is to close most service requests at rst point of contact with the Service Desk. Service Desk is preferable to the older term help desk, as it reects the wider scope of a service desk facility. The Service Desk can be expected, these days, to be proactive, suggesting ways in which problems can be addressed before they appear.
The aim of this is to document and agree service level agreements (SLAs) between the providers and consumers of IT services, and improve service levels over time, as the business changes. It is usually important that SLAs are business-oriented, as the availability of one component is of no interest if the service it helps support isnt available to the business.
The aim of this is to ensure that capacity (disk space, computer power etc.) increases or decreases in line with anticipated business volumes and performance needs. There should be a capacity plan, which is agreed with management and assigned a budget, so that it can be implemented to ensure that (in particular) lack of capacity doesnt impact the business. There are three main areas of Capacity Management: analyzing future business plans and ensuring that adequate capacity will be available; analyzing the services provided to customers and anticipated future demand, so that lack of capacity doesnt impact service levels; and analyzing and monitoring the resources used by the IT infrastructure, so that resources dont run out.
49
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
This is a vital part of IT Service Management and is really just the good nancial governance of the IT infrastructure management and reduction of costs, calculation of cost of ownership and return on investment, effective utilisation of resources, management of internal and external contracts and, of course provision of nancial reporting information to management. You would expect an IT organisation to be able to account for the money it spends and to allocate this spend to the provision of dened services. Most organisations will also want to recover these costs from the users of these services, and possibly to inuence customer behaviour, by means of some form of chargeback.
This concerns itself with ensuring that IT resources are available as and when needed by the business to satisfy its objectives. It is usually a balance of cost and demand, tempered by business criticality redundancy, for example, helps to ensure availability but increases the cost of the infrastructure, with redundant components lying idle (unless you exploit some form of grid or ondemand computing model), so is only used for critical components. Availability Management will monitor service availability against the appropriate service level agreements, and adjust targets and agreements as appropriate.
This is a superset of IT service continuity management (there is no point in ensuring IT service continuity if the business cant make use of the service because something else cant be recovered). This is typically about having tested recovery plans for IT components in the event of a disaster or major failure impacting the business (it is also known as contingency planning or disaster recovery), but the need for management of the recovery process, and the people issues involved (including customer and public condence) cant be overemphasised. The recovery plans must be regularly reviewed to make sure that they remain in alignment with the needs of the business (and that the processes being recovered are still current), and are worthless unless and until they are tested which should be repeated regularly. ITIL is not a xed standard but is evolving in response to feedback from its stakeholders, although it is probable that there wont now be any new versions, as such; it will evolve and extend under the aegis of ITIL Live [ITILLive, web]. The latest version hasnt materially changed most of the earlier best practices
50
4 T H E I M PA C T O N I T
but the spirit and scope of ITIL has been brought into line with modern thinking. It is taking on a knowledge management aspect through ITIL Live, with case studies, subject matter expert white papers, implementation packages, business cases, etc., complementing the core content; and additional material to support the value proposition associated with ITIL.
51
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
What this means in practical terms is that the development and maintenance of automated systems must be rmly based on the analysis and prioritisation of business requirements (including regulatory requirements). It must be possible to trace through from business requirement to code and vice versa. Code should contribute to an identiable business objective (even if indirectly, as some code is there for technical reasons) and if it doesnt it shouldnt be there; defects and failures should be categorised/reported in terms of the business services they impact. So, the IT Group can expect to be involved in Business Process Management (BPM) using languages such as BPEL (Business Process Execution Language) and Requirements Management. It will be generating at least the framework of an automated system from Analysis and Design models, derived from Requirements models in fact, it may well adopt Model Driven Development as a discipline. Iterative development with constant reference back to the endusers of the system will be the norm (even eXtreme Programming) and, of course, testing will be key to building the nal system. Developers will be as familiar with modeling languages such as UML2 as with coding languages, because abstraction via models lets you more easily understand and validate complex automated systems. And, of necessity, management will give developers realistic schedules, which mean that they have the time to ensure that their automated systems really do align with the business goals of the organisation. There are many standard development processes, so writing your own from scratch (which is how many of the currently available ones started) is no longer particularly useful. Most of them are supported by vendors; IBM/Rational RUP (Rational Unied Process) is a notable, and respected, example. The issue with a vendor-supported process is that it may focus on areas where the vendor has tools to sell; and it may not abstract its physical implementation from its logical model sufciently. Ideally, a process should be implemented as a meta-process, used to instantiate a specic process for a particular activity (although the availability of pattern instantiations for typical business situations would make sense). Nevertheless, many organisations get on well with commercial development processes there are potential issues but as long as youre aware of them, then they can provide a good basis for governance of the development process. However, well look at a couple of vendor independent development processes, in order to illustrate the IT governance issues.
52
4 T H E I M PA C T O N I T
Atern
The DSDM (Dynamic Systems Development Method) Atern [Atern, web] is an accepted methodology for Rapid Application Development (RAD), originally developed by a consortium sponsored by IBM [PCNetAdv, web]. DSDM is designed to be exible Agile and relies on iterative development, using prototypes, within a non-prescriptive framework. It really consists of a nonprescriptive collection of best practices. Aterns interactive lifecycle talks about: 1. Feasibility and Foundation Studies: these evaluate a proposed development for business justication and decide whether using DSDM is appropriate. A Feasibility Report, possibility including an initial solution prototype, is produced. 2. Exploration: this phase reviews the business process the IT system should support, develops an outline prototyping plan and identies external stakeholders (such as user sponsors and workshop representatives). 3. Engineering: this phase uses prototypes to model the required system, identify non-functional requirements (such as performance and regulatory issues) and produces a functional model and the implementation strategy and cost benet analysis. The functional prototype is rened using feedback from the business to drive the production of new prototypes. After sufcient iterations, this phase delivers a working system, which addresses all the agreed stakeholder requirements. 4. Deployment: this phase moves the tested system into the users production environment and will include any user training required. An important, distinguishing feature of Atern, in addition to Iteration, is time boxing. This recognises that scheduled delivery dates are important to the business, so if the project is slipping it maintains the agreed delivery dates by negotiating a reduction in functionality for the relevant prototype, instead of (say) reducing quality. With Atern, dates do not slip but functionality is negotiable. Other Atern practices include Facilitated Workshops, Modelling and MoSCoW (Must, Should, Could, Wont have) prioritisation. The essence of Atern lies in its eight principles: 1. Focus on business need. Atern takes a user-centred approach, ensuring that users are closely involved throughout the development
53
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
life cycle as active participants in the overall process. All changes during development are reversible. Atern supports the idea of backtracking to earlier states once iterations of the software stop satisfying the needs of the systems stakeholders. Obviously, this requires work to be performed within a development environment that supports the return to earlier products. 2. Deliver on time. The focus is on frequent delivery of products. Atern is more concerned with the products of a project than the activities per se. Each product is produced within an agreed period of time or timebox (generally a short time period, as for earlier RAD approaches), with the team responsible able to choose its own approach to delivering that product. 3. Collaborate. The developers, users and other stakeholders in a Atern project work together to clarify the business need and ensure that development satises that need. This contrasts to the contractual approach of traditional development processes, where users are expected to have all their requirements fully elaborated prior to implementation and the developers provide a clear specication of what will be delivered. Atern is more realistic in its approach, reecting the hard won IT experience that requirements evolve, due to developing understanding and a changing external environment. 4. Never compromise on quality. Fitness for business purpose is the essential criterion for acceptance of deliverables. Atern is aimed at delivering necessary business functionality when it is needed, with an acceptance that there may be a need for subsequent renement. This contrasts to more traditional approaches, which can degenerate into slavish delivery of requirements, even after it has become recognised that the requirement has been overtaken by events or was simply plain wrong. Testing is integrated throughout the lifecycle. Testing of Atern products is performed on a continuing basis as an integral part of the overall work. Testing involves both the developers and users, and is concerned with both the verication and validation aspects of the product. 5. Develop iteratively. Business users often dont really know what they want from an automated solution until they have hands-on experience with a prototype business requirements evolve during development. 6. Build incrementally from rm foundations. The Atern approach favours incremental development, with a signicant level of feedback
54
4 T H E I M PA C T O N I T
from users. This helps the rapid satisfaction of business need and builds in iteration, in contrast to the view that re-work is managed under an exception procedure, which can be common in other development approaches. This is all believed to facilitate achieving rapid and continuing benets in DSDM. Requirements are initially base-lined at a high level. Atern agrees the high-level requirements at the start of the project, xing an agreed scope and purpose of the system overall. This provides a framework within which detailed investigation of the requirements can be conducted. 7. Communicate continuously and clearly. The development of automated systems is, in general, an exercise in communication between all the stakeholders in the business systems being automated, not just the most immediate stakeholders. 8. Demonstrate control. DSDM teams must be empowered to make decisions. The Atern teams combine developers and users, who have the power to decide upon functionality, etc. However, all the stakeholders must have condence that development is leading, effectively and efciently, to a desired business outcome the essence of IT Governance as it applies to systems development. Atern is particularly useful to IT governance because it increases user involvement in IT projects and preserves external delivery dates; both of which help reassure external stakeholders in IT, in the business, that IT is under control.
eXtreme programming
IT developers, in particular, are often frightened of process (and, indeed, governance) because of a fear that it will restrict their creativity and put a pile of paperwork in the way of their productivity. In fact, this fear is usually unfounded building on an accepted process frees developers to be more creative, to do more and much of the required documentation can be machine-generated (a computer-maintained UML model of a system is better documentation than a folder-full of paper). Nevertheless, an Agile development process has grown up in the light of these fears valuing people over process and output of working systems or prototypes over abstract documentation Thoughtworks [Thoughtworks, web] is a good example of a consultancy espousing Agile principles, not only in dealing with customers but also internally.
55
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
An extreme example of Agile development is eXtreme Programming (XP). It isnt really dened anywhere (one of its principles is that if XP is broken, you are allowed to x it i.e., you can customise your own version of XP) but it is generally accepted that Kent Becks book, eXtreme Programming Explained [Beck, 1999], is a good starting point. An XP process will consist of a set of good practices, for example: Start by collecting short user stories from your users, consisting of a description of some feature of the new system and an acceptance test. Build a release plan, delivering useful business function, by grouping user stories together. Deliver project iterations taking about 1-3 weeks, selecting the deliverables for an iteration from a prioritised list of user stories and failed acceptance tests. Program in pairs, two programmers working on the same code on a single terminal. Youd think this would reduce productivity but, in fact, it increases it because it reduces rework (neither partner can tolerate unclear code from the other and they spot each others omissions). Keep things as simple as possible for as long as possible, by never adding functionality before it is asked for in a user story. Rene the design to remove redundancy, eliminate the unnecessary and rejuvenate tired designs whenever and wherever possible. This is called re-factoring and is an area where experience is vital. Its all about removing unnecessary features and complexity, not about optimising performance and adding new features. In marked contrast with the expectations of people who dont know XP, it can be very compatible with good IT governance, and even process improvement approaches such as CMMI. The user involvement ensures that the IT project is aligned with the business; the emphasis on tests for each and every requirement, and constant repetition of the tests as the build changes, promotes quality; incremental delivery ensures that projects dont run out of control. However, XP requires an extremely disciplined development team at least as disciplined as for normal development, possibly more so and some people adopt XP-But (as in we do XP but we dont bother with all that awful testing) which wont deliver the same results. According to Kent Beck (op. cit.): XP is my baby, XP reects my fears I am afraid of doing work that doesnt matter; having projects cancelled because I didnt make enough technical
56
4 T H E I M PA C T O N I T
progress; making business decisions badly; having business people make technical decisions badly for me; doing work that Im not proud of. If your programmers think like this, then XP delivers good development governance. If they dont, well, that is a management issue.
57
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
only because computer forensics experts are expensive, especially if theyre expert on obsolete computer systems. It is better to build audit trails into the system design and possibly copy them securely into a system that only the auditors or internal control group, not the usual system administrators, have access to. However, in practice, this is not always easy: not all operating systems have fully granular security permissions, with no super users (in fact, few do). You perhaps need to give systems administrators the power to change everything except audit data (this may be needed in order to x problems) although you might want to provide controls on the exercise of these powers; but you might also want to give the auditors the power to see everything, including normally condential data, but change nothing. When you try to implement such schemes, you discover that you need a sophisticated, rules-based security scheme but effective schemes like this arent common when you delve into the details. Taking two examples from the past, Windows NT had the granularity, but was too hard to manage and seldom implemented properly; Novell Netware (after v4) had the sophistication and directory-based manageability, but still supported superuser (all powerful) IDs (including legacy admin IDs from a previous security model); neither implemented roles fully. Encryption can come to your aid, not for Condentiality but for non-repudiation. By encrypting a hash total derived from a document and transmitting the encrypted data alongside the document, you can prove that it hasnt been altered (by checking that the received document hashes to the same gure as the original did); a similar approach can be used for digital signatures (remembering that an email, say, is effectively digitally signed anyway, in practice). However, providing a hash signature for everything an auditor may ask about, may prove impractical. When you design nancial reporting, it must be based on proper analysis of both the business and regulatory requirements and fully tested. This extends to the audit trail of changes to the nancial record. Think in terms of demonstrating the integrity of your nancial reporting in court, not in terms of a computer science exercise (being logically correct is necessary, but may not be sufcient). This is an area where role-playing games in a training situation can concentrate peoples minds on the issues.
58
4 T H E I M PA C T O N I T
59
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
and risk. It also helps you align IT with the business by applying a portfolio management discipline to IT projects, applications and infrastructure. It can automate core business processes and promises to reduce costs, while increasing the efciency and quality of all IT work. It can enable management to improve decision-making and proactive performance management at all levels, by providing visibility into critical performance indicators in real-time. It helps management gain control over IT spending through accurate, comprehensive cost measurement, budgeting and meaningful charge-backs, and helps to improve client satisfaction by gathering feedback and collaborating with clients online. It also supports skill tracking; demand and capacity planning; scheduling and time tracking. It helps to control administrative overheads and to eliminate redundant, error-prone manual data handling processes and improve the morale of both management and staff. Big claims but in our opinion, after talking to Ayman Gabarin, VP of IT Governance EMEA at Compuware, probably not unfounded.
60
4 T H E I M PA C T O N I T
Mercury promises specic assistance with, for example, the key sections of Sabanes-Oxley: Section 302, which requires CEOs and CFOs to sign statements, under penalty of perjury, verifying the completeness and accuracy of company nancial statements; Section 404, which requires CEOs, CFOs and outside auditors to attest to the effectiveness of internal controls for nancial reporting; and Section 409, which requires companies to report material nancial events immediately, in real-time, instead of waiting for quarter-end. Mercurys products include comprehensive portfolio, program, and project management software and realtime dashboards that can be congured for CIOs, CFOs and CEOs to provide early warning of any project missteps, avoiding end-of-quarter surprises. They also provide end-to-end process control over software changes including enhancements, customisations, conguration, vendor patches and bug xes; logging of all changes across the development, test stage and production landscapes; control over lifecycle processes and real-time project status.
61
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
62
4 T H E I M PA C T O N I T
63
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
Implementing a formal IT Governance regime, assuming that you have only adhoc or informal governance processes at present, involves (despite what some vendors may tell you) a lot more than just buying some software although once you do have the required culture in place, tools can facilitate the initiative. A rst requirement is to align IT governance with corporate governance in general. Think of this as high-level requirements gathering what are the business governance issues that currently worry the Board and the company auditors, and what questions would they like to ask or more importantly, are they afraid to ask? Try to talk in terms of business issues, not technical solutions, of being able to demonstrate that the physical implementation of a banks money laundering policy, for example, is tested against the policies discussed by the Board of Directors, not about implementing Model Driven Architecture and Applications Lifecycle Management tools. This discussion is only an input to your governance initiative. You cant assume that the Boards concerns are the right concerns because informal risk analysis is often driven by media hype and by our tendency to concentrate on the most recent crisis we experienced. After the IRA bombings in London, people moved data centres down into the basement where they were safe from bombs but far more vulnerable to ooding, which is far more likely to affect a building in London than a bomb. Nevertheless, youll get no credit for your IT governance initiative if you cant sensibly address the one question the CEO wants to ask, when he wants to ask it (even if the answer goes on to suggest that he/she may be asking the wrong question).
66
5 IMPLEMENTING IT GOVERNANCE
67
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
68
5 IMPLEMENTING IT GOVERNANCE
As with any other IT project, IT governance needs clear objectives and a budget allocation; and a plan showing how these objectives will be achieved and how the budget will be allocated. Implementation should be in stages, frequently delivering defined governance benefits, rather than a big bang implementation delivering perfect governance in one go years in the future if the company remains focused on the project that long. The stages in implementing an IT governance initiative from scratch would be, broadly (and in no particular order) as follows:
69
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
The best way to do this is with diagrams, but the relationships involved are too complex for this to be done manually. In addition, there is a strong risk that such maps will become out-of-step with reality. Business process analysis/management tools can provide a useful bridge between the world of IT and the world of business, although there isnt a lot of evidence that theyre being used for this yet. The best way to maintain such mappings is therefore with automated tools that can generate the framework (at least) for automated systems from models relating business processes to IT systems. Look for suites of systems development tools (not necessarily from the same vendor) that support the entire development lifecycle from business process modeling and requirements management, through to coding and testing.
70
5 IMPLEMENTING IT GOVERNANCE
you cant really certify against this, as it isnt a specication you can assess against. You also need BS7799-2:2002, the corresponding specication (which you can certify against); and both are available as a package, with some extra material, as the ISO 17799 Toolkit. ISO 17799 et al provides an excellent framework for implementing security and ensures that you take a holistic approach, starting with risk management (although it isnt strong on the details of this) and covering often-neglected areas such as business continuity. However, some form of mentoring from an external security consultant is recommended too it is difcult to make an unbiased assessment of risk and the threats facing you, from inside an organisation. Tools to support IT risk assessment, implement ISO 17799 etc. are available. Some of these can be very useful but beware of concentrating only on those areas your tools cover and neglecting business risk assessment as a whole: there is little point in mitigating the IT risk affecting a system if the business risk is uncontrolled; and almost any IT security measures can be rendered ineffective if unhappy or unjustly-treated staff can be compromised, or if physical access to the premises and IT infrastructure isnt effectively controlled. In the case of risk assessment tools, in particular, investigate the provenance and localisation of the threat database that underlies their risk assessment facilities. A database relating to US threats, say, may not be wholly appropriate in the UK, and a database that is some years old may miss emerging threats (ideally, you should be able to add threats from your own history to the database).
71
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
By its very nature, BSM must be cross-platform. Business users will not be happy if business-friendly service level reporting and management stops abruptly when their data strays onto the mainframe, for example. This is a serious governance issue as discontinuities in the vocabulary and culture of service level management and security facilitate breakdowns in IT governance at that point.
72
5 IMPLEMENTING IT GOVERNANCE
in from the start by designing critical systems to be resilient. BCM is non-trivial to do well and external consultancy may be attractive. It must be rmly based on an objective assessment of risks (itself difcult unless you are an experienced risk assessor), including risks the organisation hasnt encountered yet, and deal with the spectrum of contingency from minor service interruptions to a fullblown disaster that eliminates a data centre in its entirety. It is important to ensure that IT governance is maintained sensibly (at a managed level) during a contingency, as otherwise a contingency could be engineered as an opportunity to steal data, compromise business transactions or nancial reports, or sabotage systems. A whole systems approach to business continuity should be adopted. The non-availability of phones or a serious health and safety issue can take out a business service just as effectively as a re-damaged computer.
73
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
If you dont build software, you need a similar process for implanting packages. You still need to analyze business requirements, in order to choose a package which best ts your business process and in order to assess the impact of the business process embodied in the package on your existing business process. And, you still need to test package applications, in case they dont do what they say they will, or you implement them incorrectly. If you customise a package, this is really a small systems development project and similar QA measures are necessary.
74
5 IMPLEMENTING IT GOVERNANCE
This is usually associated with a service desk function, which should aim for pre-emptive identication and mitigation of emerging issues, ideally before they have any impact on a business service. There are many sophisticated service desk packages: BMC Remedy [Remedy, web], for example, or FrontRanges HEAT [HEAT, web].
75
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
governance makes you more efcient, you cant claim the man-hours saved as a benet until you actually reduce headcount or redeploy people onto productive work.
13. Reviews
Reviews of IT systems after changes have bedded in, in order to enable a gap analysis of the differences between aspiration and reality, followed by the scheduling of maintenance efforts aimed at reducing any gaps, is an important characteristic of good IT governance. Sometimes, as with CMMI initiatives (see Chapter 2), these reviews are part of a formal process but, regardless of how you approach IT governance, there must be some sort of review and feedback process. Change seems to be part of the nature of IT, so a static governance system, however effective, is unlikely to stay effective for long. In the next chapter we summarise the ndings of the Report.
76
Chapter 6 Conclusions
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
Chapter 6 Conclusions
Companies with better than average IT governance earn at least a 20 percent higher return on assets than organisations with weaker governance.
JEANNE ROSS AND PETER WEILL IN THE JUN. 15, 2004 ISSUE OF CIO MAGAZINE.
If it were done when tis done, then twere well it were done quickly.
SHAKESPEARE, MACBETH.
So, what is IT governance? It is an extension of corporate governance generally, which ensures that automated systems contribute effectively to the business goals of an organisation, that IT-related risk is adequately identied and managed (mitigated, transferred or accepted), and that automated information systems (including nancial reporting and audit systems) provide a true picture of the operation of the business. Changes in legislation mean that IT governance is, or will be shortly, a pressing concern in many companies dependent on IT. In Chapter 1, we looked at the context of IT governance in corporate governance. IT governance is important because various accounting and other scandals (Worldcom, Enron, failed government contracts and so on) have led the powers that be to suspect that nancial systems are creeping out of control. They are realising that most nancial controls are based on IT and that this apparent loss of control could impact commercial condence generally. Stephen Haddrill, Director General, Fair Markets, summed the situation up well in his Foreword to Proposal by the European Commission for a Directive on Statutory Audit of Annual and Consolidated Accounts, September 2004 (The Department of Trade and Industry (DTI) consultation period on this ended 30 November 2004 [8thDir, web] the DTI was replaced by the Department for Business, Enterprise and Regulatory Reform and the Department for Innovation, Universities and Skills on 28 June 2007): We believe the market is the best regulator of corporate activity. For the market to operate efciently, however, we need a robust legal framework
78
6 CONCLUSIONS
that ensures that investors have full and accurate information on which to base their decisions. Following the collapse of WorldCom and Enron in the US, and miscellaneous corporate scandals elsewhere, the Department of Trade and Industry (DTI) reviewed all aspects of nancial and audit reporting. We concluded that our approach was fundamentally sound, but that the system could be strengthened in a number of ways. In particular, we expanded the role of the Financial Reporting Council to provide independent oversight of the audit profession. The European Commission has looked at these issues in parallel. One result of their work is a proposal for a new 8th Company Law Directive on statutory auditing which updates the original 1984 Directive, and follows many of the UKs initiatives. This activity means that stakeholders in IT governance, even if they are indirect stakeholders, are starting to ask questions that concern IT governance. An investor in a company wants to be sure that the nancial reports s/he relies on havent been tampered with so as to misrepresent the true position of the company and also wants to be condent that they wont contain errors that are the result of program bugs or logic errors. In Chapter 2, we reviewed the external pressures for IT governance, from the legal and regulatory systems in which companies using IT must operate. The legal systems in most countries are increasingly making company directors responsible for corporate governance and therefore IT governance. In Chapter 3, we analysed the organisational impact of corporate governance and the building of a more mature, measurement-focused organisation. The Capability Maturity Model Integration (CMMI) from the Software Engineering Institute at Carnegie Mellon University was described, which can be taken as a framework for talking about Capability and Maturity, even if you dont assess formally. In Chapter 4, we looked at the impact on the IT group specically and at initiatives like DSDM (the Dynamic Systems Development Method) and ITIL (the IT Infrastructure Library). In Chapter 5, we overviewed the implementation of IT governance. Key to this is, as always, getting buy-in at all levels and removing barriers to implementation with training.
79
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
Our overall conclusion must be that good IT governance, in a form that can be demonstrated to the stakeholders in an organisation and interested third parties, if appropriate, is now an explicit requirement for any IT group. A piecemeal approach is likely to be expensive, as it will have to be repeated every time something changes the legal framework around corporate governance these days makes cosmetic compliance a high-risk strategy. So, the fundamental requisite for good IT governance is a mature and capable organisation one that says what it is going to do, does it, measures the consequences and applies feedback in order to bring reality closer to the original aspiration. Such an organisation will nd a process-based approach to be more effective and, in the long term, cheaper to maintain. It will adopt standards-based frameworks such as ITIL for infrastructure management and DSDM Atern for systems development, both to avoid reinventing the wheel and also to ensure that inappropriate assumptions dont result in aspects of governance being overlooked. Then, once it knows what it wants to do, it will use tools to automate its processes as far as is appropriate. Computer-aided people are more costeffective and efcient than people alone, more exible than automation alone, and governance rules embodied in software or as parameters applied to software are easier (and cheaper) to audit and enforce.
80
Appendix
Resources
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
Appendix
Resources
[8thDirCons, web] http://webarchive.nationalarchives.gov.uk/tna/ [ALM, web] the Borland/Micro Focus solution for Application Lifecycle Management (ALM), http://www.borland.com/alm/ see also http://www.microfocus.com/products/ [APB, web] Bulletin 2006/5 The Combined Code on corporate governance: Requirements of auditors under the Listing Rules of the Financial Services Authority and 2009/4 Developments in Corporate Governance Affecting the Responsibilities of Auditors of UK Companies http://www.frc.org.uk/ [Atern, web] DSDM Atern http://www.dsdm.org/atern/ [Atrium, web] http://www.bmc.com/products/brand/bmc-atrium0726.html [AuditMaster, web] Pervasives AuditMaster tool, http://www.pervasive.com/ [BalScore, web] The Balanced Scorecard Institute, http://www.balancedscorecard.org/ [BCSCode, web] The BCS Code of Practice http://www.bcs.org/server.php?show=nav.6029 [Beck, 1999] Kent Beck, Extreme Programming Explained: Embracing Change, 1999, Addison Wesley, ISBN: 0201616416 [BIS, web] Bank for International Settlements, Enhancing corporate governance for banking organisations (September 1999) http://www.bis.org/publ/bcbsc138.pdf [BloorAnalytics, web] http://www.bloorresearch.com/blog/thenorfolk-punt/2010/8/its-not-just-analytics____.html
82
APPENDIX
[BoardBrief, web] Board Brieng on IT Governance, 2nd Edition IT Governance Institute, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008 USA, Phone: +1.847.590.7491, Fax: +1.847.253.1443, E-mail: info@itgi.org, Web sites: www.itgi.org and www.isaca.org
[BSA, web] The Business Software Alliance, http://www.bsa.org/ [BSM, Web] http://www.bmc.com/solutions/bsm [CC, web] The Combined Code on corporate governance, July 2003 http://www.fsa.gov.uk/pubs/ukla/lr_comcode2003.pdf
[Changepoint, web] Compuware Changepoint, http://www.compuware.com/solutions/it-portfolio-management.asp and Compuware IT Governance http://www.compuware.com/ services/professional-services-it-governance.asp
[CMMI, web] Capability Maturity Model Integration, http://www.sei.cmu.edu/cmmi. This model is based on assessment against 5 maturity levels: 5 Continuous process improvement through proactive process measurement; 4 Quantitative process metrics, at the organisational level, used to manage and improve the process; 3 Managed process at an organisational level; 2 Managed process, at a project level; 1 Adhoc application of process
[CompaniesAudit, web] Companies (Audit, Investigations and Community Enterprise) Act 2004, http://www.legislation.gov.uk/ ukpga/2004/27/contents and http://www.companieshouse.gov.uk/ companiesAct/companiesAct.shtml
[Constantine, 1995] Larry Constantine, Constantine on Peopleware, Yourdon Press, 1995, ISBN 0-13-331976-8
83
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
[COSO, web] http://www.coso.org/ [Disability, web] Disability Discrimination Act 1995 http://www.legislation.gov.uk/ukpga/1995/50/contents; also Special Educational Needs and Disability Act 2001 http://www.legislation.gov.uk/ukpga/2001/10/contents,
[DPA, web] Data Protection Act 1998, http://www.ico.gov.uk/ for_organisations/data_protection.aspx and http://www.legislation.gov.uk/ukpga/1998/29/contents
[ESB, 2004] David A Chappell, Enterprise Service Bus, 2004, OReilly, ISBN 0-596-00675-6
[EUAuditDir, Web] Scoreboard on the transposition of the Statutory Audit Directive (2006/43/EC) http://ec.europa.eu/ internal_market/auditing/docs/dir/01_02_10_scoreboard_en.pdf
[Faegre, web] Michael Fleming, Sarbanes-Oxley and IT: Beware of Magic Bullet Solutions Trends (Faegre & Benson) (2003), appears to be no longer available on the Web
[FI, web] Freedom of Information Act 2000, http://www.ico.gov.uk/for_organisations/freedom_of_information.a spx and http://www.legislation.gov.uk/ukpga/2000/36/contents
[HAS, web] Statutory Instrument 1999 No. 3242 The Management of Health and Safety at Work Regulations 1999, http://www.legislation.gov.uk/uksi/1999/3242/contents/made
[HEAT, web] HEAT Help Desk from FrontRange Solutions http://www.frontrange.com/software/help-desk/ (see also its full range of IT service management solutions at http://www.frontrange.com/ProductsSolutions/Category.aspx?id= 22&ccid=41)
84
APPENDIX
[IBMDoors, web] IBM Rational Doors, http://www01.ibm.com/software/awdtools/doors/ and IBM Rational SYNERGY http://www-01.ibm.com/software/awdtools/synergy/
[IBMJAZZNET, web] Jazz community http://jazz.net/ [IBMRAM, web] Rational Asset Manager http://jazz.net/ projects/rational-asset-manager/
[IOD, 2004] Institute of Directors and SAS, corporate governance, 2004, Director Publications, ISBN 1 9045 2025 3
[ISO27000, web] a consortium of security consultants at http://www.27000.org/ and the ISO site at http://www.iso.org/
[ITGI, web] the IT Governance Institute http://www.itgi.org/ [ITIL, web] Originally IT Infrastructure Library, now simply ITIL http://www.itil-ofcialsite.com/home/home.asp
[ITIL FAQ, Web] http://www.itil-ofcialsite.com/faq.asp [ITILLive, web] http://www.bestpracticelive.com/ [ITPP, 2010] IT Policies and Procedures, Section 9, Legislative Compliance, published by Croner (Wolters Kluwer (UK) Limited) (http://www.croner.co.uk/croner/productDetails/category/Sectorswe-serve/General-Ofce-Management/product/GEE-IT-Policiesand-Procedures)
85
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
[Kaplan and Norton, 1992] Robert Kaplan and David Norton, The Balanced Scorecard Measures that Drive Performance, Harvard Business Review, 1992
[Kaplan and Norton, 1996] Robert Kaplan and David Norton, The Balanced Scorecard: Translating Strategy into Action, Harvard Business School Press, 1996, ISBN 0-87584-651-3
[LacyNorfolk, 2010] Conguration Management Expert Guidance for IT Service Managers and Practitioners by Shirley Lacy, David Norfolk (ISBN: 9781906124588) http://www.bcs.org/server.php?show=nav.13336
[Netegrity, 2005] Netegrity has now been acquired by CA; the Netegrity IT Security/Compliance Survey, 2005 is unfortunately is not available on the web (http://www.netegrity.com)
[OECD, web] The review process for the OECD Principles of corporate governance http://www.oecd.org/document/ 26/0,3343,en_2649_34813_23898906_1_1_1_1,00.html
[PlanISM, 2002] Planning to Implement Service Management, 2002, ISBN 0113308779 (CD ISBN: 0113309058)
[Reiss. 1995] Geoff Reiss, Project Management Demystied, 2nd ed, 1995, E and FN Spon, ISBN 0 419 20750 3
86
APPENDIX
[Reiss. 1996] Geoff Reiss, Programme Management Demystied, 1st ed., 1996, E and FN Spon, ISBN 0 419 21350 3
[Remedy, web] BMC Software Remedy Service Management, http://www.remedy.com/ and http://www.bmc.com/products/ product-listing/53035210-143801-2527.html
[SEC-SOX, web] SEC compliance dates for Section 404 of Sarbanes-Oxley (http://www.sec.gov/rules/nal/33-8238.htm)
[SOX, web] Sarbanes-Oxley Act, http://www.gpo.gov/ Wikipedia provides a fairly useful overview, http://en.wikipedia.org/wiki/sarbanes-oxley_act
[StandDir, web] Standards Direct is a source for copies of the ISO 27000 security standards (renumbering ISO 17799), and a useful source of other BSI standards, http://www.standardsdirect.org/ iso17799.htm
[STR-DPA, web] the uks anti-money laundering legislation and the Data Protection Act 1998, guidance notes for the nancial sector April 2002, http://www.hm-treasury.gov.uk/
[SUNLive05, web] SUNLive05 conference, March 22nd 2005; SUN Microsystems now belongs to Oracle and this conference no longer appears to be on the Web http://www.oracle.com/us/sun/index.htm
[Thoughtworks, web] http://www.thoughtworks.com [TOGAF, web] TOGAF http://www.opengroup.org/togaf/ [Turnbull, web] ICAEW Guidance for Directors on the Combined Code http://www.icaew.com/index.cfm/route/159066/icaew_ga/en /Library/Links/Corporate_governance/Corporate_governance_code s/UK_Corporate_Governance_Codes_and_Reports; and Turnbull Guidance at http://www.frc.org.uk/corporate/internalcontrol.cfm
87
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
[WEEE, web] WEEE Recycling Directive, http://www.environment-agency.gov.uk/business/topics/waste/ 32084 .aspx and http://www.legislation.gov.uk/
88
This brieng takes into account relevant legislation and case law. For all points of the law and critical distinctions, you will nd crystal-clear explanations and guidelines to a host of case studies illustrating the law and its application.
A great deal has changed in the last few years... a new emphasis on claims for damages such as loss of business, opportunity, chance, use and data and recent landmark cases have altered the ground-rules. Completely updated, this brieng includes accounts of all the most recent important cases and highlights signicant changes in the way that the courts now assess damages.
Corporate Governance
Martin, David 99 ISBN: 978-185418354-5
This brieng is a clear, accessible and jargon-free analysis of the practical application of Corporate Governance. With short case studies to illustrate legal requirements, the author guides the reader through all aspects of the Corporate Governance programme, concentrating specically on its use by organisations who are not required to adopt it, such as listed PLCs.
One of the biggest changes to ofce life in the last ve years has been the growth of e-mail. On balance a major advantage to businesses, enabling postage charges and time to be saved, but e-mail also comes with certain legal risks. This report seeks to highlight those areas where employers particularly need to consider relevant risks. However in most cases the risks can be minimised to an acceptable level and nothing with this report should put any employer off letting their employees loose on e-mail. It highlights principal issues which arise and the means to ensure enforcement, in particular, by presenting to employees a coherent e-mail and Internet use policy so they know where they stand.
For full details of any title, and to view sample extracts, please visit:
www.thorogoodpublishing.co.uk
Do you want to know how to use the Act to obtain information about your own competitors? Are you worried about making your contracts fully condential? These and many other issues are expertly dealt with in this valuable new report. This report shows how businesses can ensure that they dont disclose information inadvertently and how to protect their own information by drafting new contracts in the right way. Susan Singleton has advised many clients in all sectors on the FOIA from a practical standpoint.
This report appears at an exciting time for international commercial lawyers: new legislation, fresh opportunities and the challenge of understanding fully how to exploit them. Recent changes to EC Competition Law have made a signicant impact upon parties freedom to contract commercially, generally giving them greater exibility. In the eld of e-commerce, the EC has issued a welter of laws that are in the course of being implemented into national laws. The report explains the principles and techniques of successful international negotiation and provides a valuable insight into the commercial points to be considered as a result of the laws relating to: pre-contract private international law resolving disputes (including alternative methods, such as mediation) competition law drafting common clauses and contracting electronically
A thorough explanation of the law combined with expert guidance on negotiating and drafting the best contract for your client. A clear explanation of the law relating to computer contracts with particular emphasis on software licenses A wealth of advice, tips and techniques for successful contract negotiation and drafting Leading author: an expert with over 25 years experience in IP/IT law in a wide range of sectors Valuable sample contracts
For full details of any title, and to view sample extracts, please visit:
www.thorogoodpublishing.co.uk
This valuable brieng identies all the areas critical to developing an effective performance improvement process. It is a practical guide to the use of business excellence models and frameworks, quality standards, benchmarking tools, self-assessment programmes and the latest performance improvement initiatives.
This report will show you whether as licensor or licensee how to identify and secure protable opportunities, strategies and techniques for negotiating the best agreement, and nally the techniques of successfully managing a license operation.
Incorporating the latest developments in IP law, this brieng reviews each of the principal forms of intellectual property right available in the United Kingdom, describing the nature of the right itself and explaining: How rights arise or can be obtained, How rights can be exploited, What is necessary to protect rights from erosion or loss, What actions will constitute infringement of a right, under either civil (enforced by the owner) or criminal (enforced by public authorities) law, What remedies are available to the owner of the right, once infringement has been proved. Each chapter can be read on its own for convenient reference, and the introduction to each chapter also makes it clear where awareness of another section may be useful.
This valuable brieng explains what all the new legislation, directives and regulations mean in practice and what you need to do to stay within the law. Recent far-reaching changes to the law and practice affect everyone commerce and industry, central and local government and householders.
Is your company/client website legal? Do you know what information you are required by law to put on it? What can you do with peoples personal data sent to your website? This brieng deals with all the practical legal issues which arise with websites both those sites which sell goods or services and those which advertise.
An expert but jargon-free guide to enable you to manage the knowledge in your organisation successfully and to identify, gather and use that knowledge to maximum advantage.
This brieng offers the tools and techniques for company-wide analysis and is essential reading for business leaders responsible for corporate performance. Its purpose is to put minor issues into perspective and discourage the use of quick x solutions for bigger problems.
This specially commissioned report aims to draw out the main principles, processes and procedures involved in tendering and negotiating MoD contracts. As Tim Boyce writes in the Introduction, it is important to realise that the SPI embraces a conceptual shift in the role of the MoD procurers. What does this huge shift in thinking mean for contractors? How exactly has the role of MoD purchasing changed? This brieng covers every aspect of competitive tendering, negotiation and contractual negotiations in this new era. There can be few people who combine Tim Boyces experience and expertise with a gift for explaining issues and procedures with such clarity.
The main thrust of this report is on issues to do with strategy, organisation and processes. The single most encouraging and exciting feature of the SMART procurement initiative is that it embraces the need to change the culture. There is a commitment within the high political echelon of the MoD to make this change happen. Probably the greatest single challenge is to ensure that this commitment is maintained through the inevitable changes of personality at the political and senior management level.
IT Governance
Norfolk, David 99 ISBN: 978-185418745-1
This specially commissioned brieng sets out what the latest legislation says and what it means, its impact on the organisation as a whole and on the IT group specically, and how to implement an effective IT governance initiative in your company.
For full details of any title, and to view sample extracts, please visit:
www.thorogoodpublishing.co.uk
How to ensure you have a reliable system in place. Spending money on projects automatically necessitates an effective appraisal system a way of deciding whether the correct decisions on investment have been made.
This brieng will show you how to fully appreciate all the commercial dimensions of important projects and understand how to identify all the risks during the precontract bidding phase.
The gap: Far too few managers know how to apply project management techniques to their strategic planning. The result is often strategy that is poorly thought out and executed. The answer: Strategic project management is a new and powerful process designed to manage complex projects by combining traditional business analysis with project management techniques.
Seven out of ten organisations that experience a corporate crisis go out of business within 18 months. This brieng not only covers remedial action after the event but offers expert advice on preparing every department and every key player of the organisation so that, should a crisis occur, damage of every kind is limited as far as possible.
The purpose of this brieng is to highlight areas where technical issues might lead to practical difculties, and to give clear guidance to help those involved in property management avoid the pitfalls.
Written for business owners and managers, this special report offers expert advice on the tax implications of your business decisions guiding you in making the right business and personal choices for tax reduction.
If youre like most people, youll only get one chance to sell your business and to capitalise on years of hard work and planning. You can either uff it, or make sure you get the best possible advisor and become nancially secure for life, and possibly very rich. This brieng shows you how to make your business investorready for maximum capital return.
In this invaluable new brieng one of the Citys most successful deal-makers distils 40 years experience as both principal and advisor. Losing a deal by adopting the wrong tactics is unforgiveable he writes, but it happens all too often. This brieng offers both professional advisors and principals the opportunity to transform their rate of success, clarifying hard truths and highlighting avoidable mistakes. It is laced throughout with proven tactical advice to ensure that both deals and post-acquisition management are carried out with maximum success.
The option to tax is a major VAT planning tool but you have got to get the detail right to take full advantage and getting it wrong can be very costly. This brieng shows you how to plan for maximum advantage and avoid costly mistakes.
This brieng seeks to summarise the application of the Act to the employment discipline. It concentrates on the areas, which are useful and practical to employers by examining the Information Commissioners Ofce code of practice. It answers many of the mundane, day-to-day data protections issues that employers and those who are responsible for personal data need to know.
The Age Discrimination Act is billed by lawyers as the most signicant change in employment law since the 1970s. In addition to sex and race discrimination laws, in the last two years employers have also had to cope with sexual orientation discrimination and religious discrimination. David Martin, an expert on employment law and practice, analyses the practical aspects of dealing with each of the anti-discrimination laws. He demonstrates how to ensure that paperwork and systems comply totally with the law, and he provides a range of helpful case studies to illustrate the key issues and bring them to life.
The ways to undertake the task continue to grow, making the decision as to how best to recruit for a given employment situation more complex. This specialist text is responding to a number of imperatives, including legal ones. There have been, and are, anticipated changes that make it essential that recruitment practitioners act both effectively and within the law.
Employee Sickness and Fitness for Work: Successfully dealing with the legal system
Howard, Gillian 99 ISBN: 978-185418281-4
Many executives see employment law as an obstacle course or, even worse, an opponent but it can contribute positively to keeping employees t and productive. This brieng will show you how to get the best out of your employees, from recruitment to retirement, while protecting yourself and your rm to the full.
This report will help you to understand the key practical and legal issues, achieve consensus and involvement at all levels, understand and implement TUPE regulations and identify the documentation that needs to be drafted or reviewed within the context of a merger, acquisition or disposal.
Navigating Health and Safety Law: Ensuring compliance and minimising risk
Pope, Chris 99 ISBN: 978-185418353-8
If you have already been challenged by the insurer, inspector, or one of your workforce about the status of your health and safety this brieng will give you a workable answer to questions like Is my health and safety policy legally compliant? How do I avoid being liable for an employees ill health arising from previous employment? Who should carry out safety inspections is it my responsibility?
Sweeping changes to the way employment tribunal claims are dealt with have increased the risk of higher costs and more expensive claims. This indispensable report covers all the changes and their implications for HR professionals.
HR, RECRUITMENT AND TRAINING Applying the Employment Act 2002: Crucial developments for employers and employees
Williams, Audrey 99 ISBN: 978-185418253-1
The Act represents a major shift in the commercial environment, with far-reaching changes for employers and employees. The consequences of getting it wrong, for both employer and employee, will be considerable nancial and otherwise. The Act affects nearly every aspect of the workplace.
This brieng explains what all the regulations say and what steps you need to take to operate effective dismissal, disciplinary and grievance procedures. It covers all the requirements of the Disputes Resolution Procedures that came into effect in October 2004. It tells you where and when the regulations apply and what you need to do.
By applying the range of practical management techniques detailed in this brieng, you can provide the authority and means to empower in a way that substantially reduces the dangers.
Flexible Working
Williams, Audrey 99 ISBN: 978-185418306-4
Recent research shows that far too many individuals, as well as rms, are unaware of exible working rights. How employers and employees deal with them is of crucial and increasing importance to both. This brieng claries the law, sets out the rights of employer and employee, and offers valuable practical advice on best practice.
From a diagnosis of HR issues to an analysis of the external and internal future environment of your company and the effect on your human resources this is practical information aimed at HR and senior line managers.
Internal Communications
Farrant, James 99 ISBN: 978-185418149-7
There is growing evidence that the organisations that get it right reap dividends in corporate energy and enhanced performance. In these organisations, internal communications have equal status with the external communications functions. This practical brieng will show you how internal communications, taken in their widest sense, can improve the performance of organisations.
Why do so many mergers and acquisitions end in tears and reduced shareholder value? This report will help you to understand the key practical and legal issues, achieve consensus and involvement at all levels, understand and implement TUPE regulations and identify the documentation that needs to be drafted or reviewed.
New ways of working examines the nature of the work done in an organisation and seeks to optimise the working practices and the whole context in which the work takes place. It is more about promoting the best ways of doing things than simple cost driven change. Although it emphasises the importance of business and organisation, it spans the concerns of people, property, technology, community and environment.
The HR manager can learn how to deal creatively with stress from the information in this brieng and pass on their knowledge down the ranks. He or she will then halt the downward spiral of diffusing stress and produce a more positive knock-on effect namely to increase the productivity of the entire workforce and reduce absenteeism resulting from this terrible illness.
The Employment Act 2002 has raised the stakes. Imperfect understanding of the law and poor drafting will now be very costly. This brieng will: Ensure that you have a total grip on what should be in a contract and what should not Explain step by step how to achieve changes in the contract of employment without causing problems Enable you to protect clients sensitive business information Enhance your understanding of potential conflict areas and your ability to manage disputes effectively.
Denitely not for techies, this brieng is practical and jargon-free giving you step-by-step skills and processes to enable you to design effective e-learning products with condence.
For full details of any title, and to view sample extracts, please visit:
www.thorogoodpublishing.co.uk
Transforming HR
Hunter, Ian and Saunders, Jane 99 ISBN: 978-185418361-3
The blue-print for the future of HR how to deliver proven value to your Board, business and colleagues. The brieng is based on interviews with 60 HR leaders from across industry and public and not for prot sectors. The brieng covers HR outsourcing and shared services.
Supporting good causes is big business and good business. Corporate community investment (CCI) is the general term for companies support of good causes, and is a very fast growing area of PR and marketing.
Buildings can be rebuilt, IT systems replaced, people can be recruited, but a reputation lost can never be regainedThe media will publish a story you may as well ensure it is your story Simon Taylor. News is whatever someone, somewhere, does not want published William Randolph Hearst When a major crisis does suddenly break, how ready will you be to defend your reputation?
Get ahead and stay ahead of your competition through better integration of your marketing communications. Norman Hart was an international consultant, lecturer and author on marketing, advertising and public relations. His books included The CIM Marketing Dictionary, Strategic Public Relations, The Practice of Advertising and Industrial Marketing Communications.
This practical report will help you understand the way the nancial print and broadcast media works in the UK. It will also provide you with techniques and guidelines on how to communicate with the nancial media in the most effective way, to help you achieve accurate and positive coverage of your organisation and its operations.
Lobbying is an art form rather than a science, so there is inevitably an element of judgement in what line to take. The best lobbying is always based on accurate, up-to-date information and on a well-argued case, founded on credible evidence, and delivered to the right audiences in the right tone of voice at the right time. Sounds simple, but it isnt. This expert brieng explains the knowledge and techniques required.
ENRON, WORLDCOM who next? At a time when trust in corporations has plummeted to new depths, knowing how to manage corporate reputation professionally and effectively has never been more crucial. This brieng shows you how to: Develop PR, brands and relationship management as the vanguards of your corporate reputation Strengthen your internal as well as external communications Improve the effective management of your stakeholders
Understanding the system and the process in which it works is essential to lobbying effectively. Uncoordinated, uncontrolled and badly planned approaches will do more harm than good, and risk antagonising the people you most want to inuence. This brieng provides the techniques required for effective lobbying.
This brieng shows in practical terms how you can counter potential threats through a professionally structured and implemented public affairs campaign. Todays successful companies recognise that in order to survive and prosper a comprehensive and disciplined approach to public affairs is no longer just a useful asset, it is now a necessity.
Many professionals still feel awkward about really selling their professional services. They are not usually trained in selling. This is a much-needed brieng which addresses the unique concerns of professionals who wish to sell their services successfully and to feel comfortable doing so.
This is very much a how to brieng. After reading those parts that are relevant to your business, you will be able to compile a powerful customer plan that will work within your particular organisation for you. Charts, checklists and diagrams throughout.
Tips and techniques to aid you in a new approach to campaign planning. Strategic planning is a fresh approach to PR. An approach that is fact-based and scientic, clearly presenting the arguments for a campaign proposal backed with evidence. This brieng provides valuable tips and techniques to improve your PR and campaign planning.
To win business, you must make a convincing case. This brieng will help you become more skillful, and more successful in your tendering.
This in-depth brieng will give you the tools and techniques you need to enjoy the opportunities offered by the regional and local media. It offers you practical guidance and advice on how to apply them with maximum effect for your next PR campaign.
Order Form
FIVE WAYS TO ORDER 1 Tel: +44 (0)1235 465 500 2 Fax: +44 (0)1235 465 556 3 Email: direct.orders@marston.co.uk 4 Web: www.thorogoodpublishing.co.uk 5 Post: Marston Book Services, 10-12 Rivington Street, London EC2A 3DU
Title Commercial Contracts: Legal principles and drafting Commercial Litigation: Damages and other remedies for breach of contract Corporate Governance Email: Legal issues Freedom of Information Act International Commercial Agreements Insights into Successfully Managing the In-house Legal Function Software Contract Agreements Achieving Business Excellence, Quality and Performance Improvement The Commercial Exploitation of Intellectual Property Rights by Licensing Intellectual Property Protection and Enforcement Waste Management: The changing legislative climate Websites and the Law A Practical Guide to Knowledge Management
Qty
99 145 145 99 95
Martin, David Singleton, Susan Singleton, Susan Attree, Rebecca OMeara, Barry
978-185418692-8 978-185418018-6
145 99
Bond, Robert Chapman, Colin & Hopper, Dennis DesForges, Charles Brazell, Lorna Hand, Caroline Singleton, Susan Brelade, Sue & Harman, Chris OConnor, Carol Boyce, Tim Boyce, Tim
978-185418285-4
99
99 69 99 99
Analyse your Business A performance health check Tendering & Negotiating MoD Contracts Understanding SMART Procurement in the MOD
99 99 99
Title IT Governance Practical Techniques for Effective Project Investment Appraisal Project Risk Management: The commercial dimension Strategy Implementation Through Project Management Surviving a Corporate Crisis: 100 things you need to know Technical Aspects of Business Leases: Overcoming the practical difculties Tax Planning for Businesses and their Owners Trade Secrets of Business Disposals Trade Secrets of Business Acquisitions VAT Liability and the Implications of Commercial Property Transactions Data Protection Law for Employers Discrimination Law and Employment Issues Effective Recruitment: A practical guide to staying within the law Employee Sickness and Fitness for Work: Successfully dealing with the legal system Employment Law Aspects of Mergers and Acquisitions: A practical guide Navigating Health and Safety Law: Ensuring compliance and minimising risk Successfully Defending Employment Tribunal Cases Applying the Employment Act 2002: Crucial developments for employers and employees Dismissal and Grievance Procedures Enabling Beyond Empowerment Flexible Working How to Turn your HR Strategy into Reality Internal Communications Mergers and Acquisitions: Confronting the organisation and people issues New Ways of Working Power Over Stress at Work Reviewing and Changing Contracts of Employment
Price 99 99
Qty
99 99 90
Dowden, Malcolm Hughes, Peter Pearson, Barrie Pearson, Barrie Buss, Tim
Singleton, Susan Martin, David Leighton, Patricia & Proctor, Giles Howard, Gillian Ryley, Michael
978-185418281-4 978-185418363-7
99 99
978-185418353-8
99
Pope, Chris
978-185418267-8 978-185418253-1
99 99
99 99 99 99 99 145
Hunt, Dennis Williams, Michael Williams, Audrey Grundy, Tony Farrant, James Thomas, Mark
99 99 99
Jupp, Stephen Araoz, Daniel Phillips, Annelise; Player, Thomas & Rome, Paula Bray, Tony Hunter, Ian and Saunders, Jane Genasi, Chris Taylor, Simon Hart, Norman
978-185418326-2 978-185418361-3
99 99
Corporate Community Investment Defending your Reputation Implementing an Integrated Marketing Communications Strategy
99 99 99
Title Insights into Understanding the Financial Media: An insiders view Lobbying and the Media: Working with politicians and journalists Managing Corporate Reputation: The new currency
ISBN 978-185418083-4
Price 99
Qty
978-185418240-1
99
Burrell, Michael
978-185418272-2
99
Dalton, John & Croft, Susan Miller, Charles Wynne-Davies, Peter Tasso, Kim Melkman, Alan Knights, Kieran Woodhams, Jeff Imeson, Mike
Practical Techniques for Effective Lobbying Public Affairs Techniques for Business
978-185418089-6 978-185418175-6
99 99
Selling Skills for Professionals Strategic Customer Planning Strategic Planning in Public Relations Successful Competitive Tendering Techniques for Ensuring PR Coverage in the Regional Media: An insiders view
99 99 145 99 99
YOUR DETAILS
Please note that payment is required before briengs are dispatched. If paying by credit card, the address given below must be that of the cardholder. Please use BLOCK capitals. Name____________________________________________________________________________________ Position __________________________________________________________________________________ Company _________________________________________________________________________________ Address _________________________________________________________________________________ ________________________________________________________________________________________ ____________________________________________________________ Postcode____________________ Country __________________________________________________________________________________ Tel _____________________________________________________________________________________ Fax _____________________________________________________________________________________ Email ___________________________________________________________________________________
PAYMENT DETAILS
I enclose a cheque for _______________ made payable to MARSTON BOOK SERVICES Please invoice me Please charge my credit card Mastercard Visa Barclaycard American Express Switch Connect
Card no. _____________________________________ Expiry date ___________________________________ Valid from ____________________________________ Issue number _________________________________ Cardholders signature _______________________________________________________________________ I have paid by bank transfer [BACS]: Barclays Bank, sort code 20-65-18, account _________________________