You are on page 1of 60



CEPIS, Council of European Professional Informatics
Societies, is a non-profit organisation seeking to improve and
promote high standards among informatics professionals in
recognition of the impact that informatics has on
employment, business and society.

CEPIS unites 37 professional informatics societies over
33 European countries, representing more than 400,000
ICT professionals.

CEPIS promotes

* This monograph will be also published in Spanish (full version printed; summary, abstracts, and some
articles online) by Novtica, journal of the Spanish CEPIS society ATI (Asociacin de Tcnicos de
Informtica) at <>.
UPGRADE is the European J ournal for the
Informatics Professional, published bimonthly
at <>
UPGRADE is published on behalf of CEPIS (Council of European
Professional Informatics Societies, <>) by
Novtica <>, journal of the Spanish
CEPIS society ATI (Asociacin de Tcnicos de Informtica, <http://>)
UPGRADE monographs are also published in Spanish (full version
printed; summary, abstracts and some articles online) by Novtica
UPGRADE was created in October 2000 by CEPIS and was first
published by Novtica and INFORMATIK/INFORMATIQUE, bi-
monthly journal of SVI/FSI (Swiss Federation of Professional
Informatics Societies, <>)
UPGRADE is the anchor point for UPENET (UPGRADE European
NETwork), the network of CEPIS member societies publications,
that currently includes the following ones:
Informatik-Spektrum, journal published by Springer Verlag on
behalf of the CEPIS societies GI, Germany, and SI, Switzerland
ITNOW, magazine published by Oxford University Press on behalf
of the British CEPIS society BCS
Mondo Digitale, digital journal fromthe Italian CEPIS society AICA
Novtica, journal from the Spanish CEPIS society ATI
OCG Journal, journal from the Austrian CEPIS society OCG
Pliroforiki, journal from the Cyprus CEPIS society CCS
Pro Dialog, journal from the Polish CEPIS society PTI-PIPS
Editorial Team
Chief Editor: Lloren Pags-Casas, Spain, <>
Associate Editor: Rafael Fernndez-Calvo, Spain, <>
Editorial Board
Prof. Wolffried Stucky, CEPIS Former President
Prof. Nello Scarabottolo, CEPIS Vice President
Fernando Piera Gmez and Lloren Pags-Casas, ATI (Spain)
Franois Louis Nicolet, SI (Switzerland)
Roberto Carniel, ALSI Tecnoteca (Italy)
UPENETAdvisory Board
Hermann Engesser (Informatik-Spektrum, Germany and Switzerland)
Brian Runciman (ITNOW, United Kingdom)
Franco Filippazzi (Mondo Digitale, Italy)
Lloren Pags-Casas (Novtica, Spain)
Veith Risak (OCG Journal, Austria)
Panicos Masouras (Pliroforiki, Cyprus)
Andrzej Marciniak (Pro Dialog, Poland)
Rafael Fernndez Calvo (Coordination)
English Language Editors: Mike Andersson, David Cash, Arthur
Cook, Tracey Darch, Laura Davies, Nick Dunn, Rodney Fennemore,
Hilary Green, Roger Harris, Jim Holder, Pat Moody, Brian Robson
Cover page designed by Concha Arias Prez
"Strategos" / ATI 2008
Layout Design: Franois Louis Nicolet
Composition: Jorge Llcer-Gil de Ramales
Editorial correspondence: Lloren Pags-Casas <>
Advertising correspondence: <>
UPGRADENewslist available at
Novtica 2008 (for the monograph)
CEPIS 2008 (for the sections UPENET and CEPIS News)
All rights reserved under otherwise stated. Abstracting is permitted
with credit to the source. For copying, reprint, or republication per-
mission, contact the Editorial Team
The opinions expressed by the authors are their exclusive responsibility
ISSN 1684-5285
Monograph of next issue (April 2008)
"Model-Driven Software Development"
(The full schedule of UPGRADE is available at our website)
Vol. IX, issue No. 1, February 2008
2 Presentation. IT Governance: Fundamentals and Drivers Ddac
Lpez-Vias, Antonio Valle-Salas, Aleix Palau-Escursell, and
Willem-Joep Spauwen
5 This is NOT IT Governance Jan van Bon
14 ITIL V3: The Past and The Future. The Evolution Of Service Man-
agement Philosophy Troy DuMoulin
16 PMBOK and PRINCE 2 for the Management of ITIL Implementa-
tion Projects Grupo de Metodologas de Gestin de Proyectos of
the itSMF Spain under the coordination of Javier Garca-Arcal
23 Business Intelligence Governance, Closing the IT/Business Gap
Jorge Fernndez-Gonzlez
31 IT Project Portfolio Management: The Strategic Vision of IT Projects
Albert Cubeles-Mrquez
37 ISO20000 An Introduction Lynda Cooper
40 COBIT as a Tool for IT Governance: between Auditing and IT
Governance Juan-Ignacio Rouyet-Ruiz
44 Implementing IT Governance Ad@pting CobiT, ITIL and Val IT: A
Respectful Caricature Ricardo Bra-Menndez and Manuel Palao
48 What Governance Isnt Rob England
52 From Pro Dialog (PTI-PIPS, Poland)
Software Engineering
A View on Aspect Oriented Programming Konrad Billewicz
57 CEPIS Working Groups
Authentication Approaches for Online Banking CEPIS Legal
and Security Special Interest Network
Monograph: IT Governance (publ i shed j oi nt l y wi t h Novt i ca*)
Guest Editors: Ddac Lpez-Vias, Antonio Valle-Salas, Aleix Palau-Escursell, and
Willem-Joep Spauwen
2 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
IT Governance: Fundamentals and Drivers
Ddac Lpez-Vias, Antonio Valle-Salas, Aleix Palau-Escursell, and Willem-Joep Spauwen
The Guest Editors
Ddac Lpez-Vias is the Director of IT Services at the Girona
University (Universitat de Girona UdG-, Spain), Director of
ICT at the Science and Technology Park of the UdG, and
consultant at UOC (Universitat Oberta de Catalunya) for
postgraduate courses in technology services management. He is
a graduate in Computer Science from UPC (Universitat
Politcnica de Catalunya), holds a postgraduate degree in IT
Management from ICT (Institut Catal de Tecnologia), another
in Enterprise Information Management (Infonoma, UPF), and
an MBA from Las Heures (UB). Before working in university IT
services he was a systems engineer at Hewlett Packard and
IECISA. He has played an active role on various boards of
governors of the ATI (the Spanish Association of Computer
Technicians) and has collaborated with the COEIC (Collegi Ofi-
cial dEnginyeria en Informtica de Catalunya) serving on the
Deans Council. He has been president of ATI Catalunya since
J anuary 2005. <>.
Antonio Valle-Salas is Project Manager at Abast Systems and is
a specialist consultant in ITSM (Information Technology Service
Management) and IT Governance. He graduated as a Technical
Engineer in Management Informatics from UPC (Universitat
Politcnica de Catalunya) and holds a number of methodology
certifications such as ITIL Service Manager from EXIN
(Examination Institute for Information Science), Certified
Information Systems Auditor (CISA) from ISACA, and COBIT
Based IT Governance Foundations from IT Governance Network,
plus more technical certifications in the HP Openview family of
management tools. He is a regular collaborator with itSMF (IT
Service Management Forum) Spain and its Catalan chapter, and
combines consulting and project implementation activities with
frequent collaborations in educational activities in a university
setting (such as UPC or the Universitat Pompeu Fabra) and in
In recent years there has been much talk about IT Gov-
ernance and the management of organizations in general,
which has captured the interest of all those involved in ICT
After a number of decades during which ICT has been
applied in organizations in an non-harmonized manner, with
different aims in each organization, there was a growing
realization that, while such technologies should be at the
service of business, that is not always the case.
If we were talking about another functional area, such
as Human Resources or Accounting, rather than ICT, we
would take it for granted that the activities undertaken by
those departments were aligned with the goals of the or-
ganization they belonged to, and we would not feel the need,
although such a need may exist, to create reference models
and methodologies to ensure that they were aligned. How-
ever, in many organizations ICT is not adequately aligned
with the organizations goals, which may lead to project
deviations (negative return on investment, uncontrolled
expenses, etc.), or unmanaged risks. This is what has given
rise to the concept we know today as IT Governance.
Organizations may be thought of as a coordinated set of
the world of publishing in which he has collaborated on such
publications as IT Governance: a Pocket Guide, Metrics in IT
Service Organizations, Gestin de Servicios TI. Una introduccin
a ITIL, and the translations into Spanish of the booksITIL V2 Service
Support and ITIL V2 Service Delivery. <>.
Aleix Palau-Escursell is a partner and Commercial Director of
NETMIND, a company engaged in IT training, consultancy, and
management. Aleix holds a Higher Diploma in Management
Informatics, a Master in Sales Management from EADA, and a
Master in ICT Management from La Salle (Universitat Pompeu
Fabra). His entire professional career to date has been in NETMIND
where he has led the companys commercial expansion and
established it as one of the pioneers in the provision of training and
consultancy services for Project Management, ITIL, and ISO 20000.
In recent years he has played an active role in disseminating best
practices and methodologies for Project Management and IT Service
Management, collaborating with organizations such as PMI (Project
Management Institute), itSMF (IT Service Management Forum),
ATI, and La Salle, among others. <>.
Willem-Joep Spauwen is a senior consultant at Quint Wellington
Redwood Iberia. He graduated in Business Administration at the
University of Groningen, Netherlands. He has specialized in ICT
Governance and added value provided by business management
and organization related Information Systems. His career began in
the IT Department of Royal Dutch Airlines KLM, where he played
an active role in the field of IT-Business alignment. At Quint
Wellington Redwood he works as an international consultant in the
field of IT management. He has taken part in several projects
undertaken by multinationals in the Netherlands, the USA, Mexico,
and Spain. He also participates regularly in a number of international
forums. <>.
UPGRADE Vol. IX, No. 1, February 2008 3
IT Governance
information systems in which human and material resources
participate, but the key to successful organizations resides
in the information per se and the way it is automated. Here
is where the managers of organizations may question the
manner in which that information is processed and the risks
they are taking, both as a result of mistakes that may be
made and in terms of the cost of not having that informa-
Meanwhile, the strategic opportunities afforded to or-
ganizations by ICT have given rise to difficulties concern-
ing the management of those technologies. Many compa-
nies do not hesitate to describe their ICT departments as
strategic or critical to their core activities while at the same
time recognizing that ICT causes problems that they hesi-
tate to describe as unmanageable.
Thus ICT departments are often perceived as a pure ex-
pense rather than a value-adding resource. They are seldom
considered as an opportunity, and investment in ICT is of-
ten seen as a technologists whim, always to be questioned.
Part of the problem lies in the difficulty that managers
have in seeing ICT in the company as part of their responsi-
bility and in acquiring the basic knowledge required to take
on that responsibility. But the CIOs are also to blame for
not understanding organizations and their business objec-
tives, for not taking managerial language on board, for not
listening to the real problems of functional managers, and
for focusing their goals on technology and not on the prac-
tical exploitation of that technology.
We can sum up this general problem as being a diffi-
culty to integrate and align ICT departments operations and
internal organization within the greater organization and its
technological goals. The problem also stems from the mis-
conception that general managers have of ICT departments
as separate and almost unrelated units due to the techno-
logical nature of their role.
Companies and organizations in general need to close
this gap between general management and ICT departments
by applying management methodologies that will integrate
ICT departments within the greater organization and align
their operations with corporate goals.
If this gap is to be closed, the managers of organizations
need to understand that the ICT department must be man-
aged within the context of business objectives as an insepa-
rable part of the business, and that they need to learn ICT
management methodologies. Meanwhile the managers of
the ICT department should understand their mission within
the context of the companys corporate goals. ICT manage-
ment should not be seen as a separate goal or discipline, but
rather as a cross-functional process affecting the entire or-
ganization, one in which everyone should play an active
Many organizations are now getting the most out of ICT
by understanding and managing the benefits and risks in-
volved, by successfully aligning their ICT strategy with
corporate strategy to form a single integrated strategy, by
putting in place mechanisms and processes to implement
that strategy, including mechanisms to monitor and control
ICT systems, and by using metrics to measure ICT manage-
ment performance. The set of methodologies that allows us
to achieve the above objectives is what we now call IT
IT Governance draws on a number of different fields
(monitoring and control, audit, metrics, service management,
and quality management) to create models identified by such
trendy terms as ITIL, Cobit, Val IT, ISO 20.000, etc., and
their pertinent certifications. This same trend has also given
rise to a great deal of confusion and management by fad
with regard to the concepts involved.
The aim of the ensuing monograph is to bring readers
up to speed with the latest trends, to show how such trends
may be reasonably applied, and to try and explain just what
IT Governance is, and what it is not.
4 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
The following references, along with those included in
the articles this monograph consists of, will help our read-
ers to dig deeper into this field.
Koen Brand, Harry Boonen. IT Governance based
on CobiT 4.0. A management guide. ITSM Library.
Van Haren Publishing, 2007. ISBN: 9087530218.
J an Van Bon et al. IT Service Management An
Introduction. Van Haren Publishing. ISBN:978908
Office of Government Commerce. Best practice for
Service Support. ITIL the key to managing IT Serv-
ices. TSO Books, 2001. ISBN: 9780113300150 /
Office of Government Commerce. Best practice for
Service Delivery. ITIL the key to managing IT Serv-
ices. TSO Books, 2001. ISBN: 9780113300174 /
Office of Government Commerce. ITIL Small-scale
Implementation. TSO Books, 2005. ISBN: 978011
Mark D. Lutchen. Managing IT as a Business: A Sur-
vival Guide for CEOs. McGraw-Hill, 2006. ISBN:
Gary Case, Troy DuMoulin, George Spalding, Anil C.
Dissanayake. Service Management Strategies that Work.
Van Haren Publishing, 2007. ISBN: 9789087530488.
Peter Brooks. Metrics for IT Service Management. Van
Haren Publishing, 2006. ISBN: 9789077212691.
IT Governance Institute. IT Governance Implemen-
tation Guide: Using COBIT and Val IT. 2nd Edi-
tion. ISACA, 2007. ISBN: 9781933284750.
IT Governance Institute. Cobit 4.1. ISACA, 2007.
ISBN: 9781933284729.
Office of Government Commerce. ITIL Version 3
Core Titles: The Official Introduction to the ITIL
Service Lifecycle; Continual Service Improvement
(CSI); Service Design (SD); Service Operation
(SO); Service Strategy (SS); Service Transition (ST).
Useful References on IT Governance
IT Governance Institute <>.
Information Systems Audit and Control Association
IT Infrastructure Library <>.
Information Technology Service Management Forum
ITSM Portal <>.
ISACA. Val IT Overview <
cfm?Section=Home&CONTENTID=21569& SECTION=
Mark Toomey. AS8015 Corporate Governance of
ICT Practical Application <
Pink Elephant. ITIL v3: What You Need To Know
765/ITILv3WhatYouNeedToKnowNA1.pdf>. ITIL V3-V2 Mapping <http://www.itil. org/en/
Web Sites
The Val IT framework <http://itgovernance.pbwiki.
com/ValIT>, <>.
COBIT 4.1 news <>.
Enabling IT Governance <
History of I TI L <
ITSMWatch <>.
ITIL Training Zone <>.
Troy DuMoulins blog <
The IT Skeptic <>.
Serge Thorns blog <http://sergethorn.>.
ICT Governance <>(in Span-
UPGRADE Vol. IX, No. 1, February 2008 5
IT Governance
Keywords: Decision Making, Executive, Frameworks,
Information Management, IT, ITIL, IT Governance, Man-
agement, Model Enhanced, Organization, Planning and
Control, Strategic Alignment.
1 Introduction
IT Governance is important to CEOs and to CIOs -
but what is it, and what is it NOT? This article provides
some insight into that question, using a number of mod-
ern management frameworks
2 What is IT Governance about?
With the ever growing role of information in the Busi-
ness, it is hard to deny that this world has become totally
dependent upon information management. Many organiza-
tions wouldnt even survive for more than a few days if
their information systems would discontinue. This is the
first and main reason for the existence of IT Governance;
you need to be in control of your information supporting
systems. But there are other significant reasons as well.
First of all: organizations need to make sure they com-
ply to external regulatory requirements. We all know the
examples of what happens if this is not taken care of. Enron
and Worldcom have shown the consequences of bad gov-
ernance and each country will have had its own local finan-
cial disasters as well. Sarbanes-Oxley
, Basel II
and many local regulations were the answer to this. All these
regulations are aimed at ensuring that organizations are in
control of decision making processes and have transparent
A second crucial sponsor of IT Governance is the fact
that organizations are more and more managed from the
perspective of the shareholder and other stakeholders. Or-
ganizations need to provide added value in terms of finan-
cial revenues or other values. Hedge funds are taking over
many companies and splitting them up for better financial re-
turns. Individual shareholders are getting organized and their
influence is growing. Other stakeholders like employees and
society are gaining recognition and extending their influence
on the decisions and performance of an organization.
These aspects illustrate some of the core elements of a
generally accepted view on corporate governance, as illus-
trated in the CIMA (Chartered Institute of Management
Accountants) Enterprise Governance Framework (see Fig-
ure 1). This framework emphasizes the role of two key is-
sues in governance: "Conformance" and "Performance".
This is NOT IT Governance
Jan van Bon
IT is a business like any other line of business, so why dont we run it as a business? If we look at other disciplines, we can find
excellent examples of the application of governance principles. In the IT market, however, we seem to have forgotten to apply
some of the most elementary business policies. Recent developments have shown the catastrophical effects that may follow from
this. So lets have a closer look at this, and take the first elementary step by answering What is IT Governance and what is it
NOT? The answer may come as a surprise. And IT Governance may be less difficult than it seemed.
Jan van Bon ( has been involved with the
development and publication of a large number of I T
Management frameworks. After a decade of academic research
he started his work in IT in the late 1980s, in the Netherlands.
He launched the Dutch itSMF (IT Service Management Forum)
in 1994 and was involved in itSMF projects ever since. He has
produced more than 50 books, in 14 languages, with expert
authors from all over the world, on a broad range of IT
management topics <>.
Figure 1: The CIMA Enterprise Governance Framework.
"The Sarbanes-Oxley Act of 2002 is a United States federal
law enacted on J uly 30, 2002 in response to a number of major
corporate and accounting scandals including those affecting
Enron, Tyco International, Adelphia, Peregrine Systems and
WorldCom". <>.
"Basel II is the second of the Basel Accords, which are recom-
mendations on banking laws and regulations issued by the Basel
Committee on Banking Supervision. The purpose of Basel II, which
was initially published in J une 2004, is to create an international
standard that banking regulators can use when creating regula-
tions about how much capital banks need to put aside to guard
against the types of financial and operational risks banks face"
"International Financial Reporting Standards (IFRS) are stand-
ards and interpretations adopted by the International Accounting
Standards Board (IASB)" <>.
6 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
Table 1: Some Definitions of IT Governance (based on [1]).
3 Definition(s) of IT Governance
A Google search for the meaning of IT Governance will
easily show over 50 different definitions. There still is no
single authorative source that has gained the power to set
any of these as the universal and official definition. Table1
presents some of the most familiar definitions.
Lately, experts in the field show some convergence towards
common elements in the definitions they use. Key elements in
the governance definitions are the organization and the distri-
bution of rights. Governance tends to deal with organizational
elements that are accountable for decision making, in a trans-
parent way. This immediately points out the second important
element, which always is about decisions.
However, governance is mostly restricted to only pro-
viding the infrastructure for making these decisions, and
the decision making process itself is not included. Making
decisions is generally accepted to be an aspect of manage-
ment, which is separated from governance. Sohal and
Fitzpatrick [2] have illustrated that in their research on gov-
ernance in Australian government (see Figure 2).
So there is a clear distinction between governance and
management, suggesting that governance enables the crea-
tion of a setting in which others can manage their tasks ef-
fectively. Which makes IT Governance and IT Management
two separated entities. Although many frameworks such as
COBIT (Control Objectives for Information and related
Technology) and ITIL (Information Technology Infrastruc-
ture Library) are characterized as "IT Governance frame-
works", most of them are in fact management frameworks.
4 What Is Not IT Governance
To be able to understand what IT Governance is all about,
Researchers IT Governance Definition
Brown and
IT governance describes the locus of responsibility for IT functions.
IT governance is the degree to which the authority for making IT
decisions is defined and shared among management, and the
processes managers in both IT and Business organizations apply in
setting IT priorities and the allocation of IT resources.
and Zmud (1999)
IT governance refers to the patterns of authority for key IT activities.
Van Grembergen
IT governance is the organizational capacity by the board, executive
management and IT management to control the formulation and
implementation of IT strategy and in this way ensure the fusion of
Business and IT.
Weill and Vitale
IT governance describes a firms overall process for sharing decision
rights about IT and monitoring the performance of IT investments.
Schwarz and
IT governance consists of IT-related structures or architectures (and
associated authority patterns), implemented to successfully
accomplish (IT-imperative) activities in response to an enterprises
environment and strategic imperatives.
IT Governance
IT governance is the responsibility of the board of directors and
executive management. It is an integral part of enterprise governance
and consists of the leadership and organizational structures and
processes that ensure that the organizations IT sustains and extends
the organizations strategies and objectives.
Weill and Ross
(2004) [5]
IT governance is specifying the decision rights and accountability
framework to encourage desirable behavior in using IT.

The system by which the current and future use of ICT is directed
and controlled. It involves evaluating and directing the plans for the
use of ICT to support the organisation and monitoring this use to
achieve plans. It includes the strategy and policies for using ICT
within an organisation.

UPGRADE Vol. IX, No. 1, February 2008 7
IT Governance
Figure 2: IT Governance versus IT Management (Sohal & Fitzpatrick [2]).
it would be very helpful to understand what it is not. E.g.,
as we saw in the previous paragraph, management is not
governance. To be able to understand what is excluded from
the field of IT Governance, it therefore is useful to under-
stand what IT Management is.
We are discussing IT Governance and not corporate
governance, which automatically means that we have to
involve the discipline of Information Support in this. Infor-
mation Support is widely recognized as a supporting disci-
pline for the other Business processes.
The best way to manage a domain properly, according
to the principle of Separation of Concerns, is by dividing
that domain into a control subdomain and a realization
subdomain. That way, the realization domain does not con-
trol itself. Once applied to Information Support, this pro-
vides us with two separate responsibility domains: Infor-
mation Management (IM), where information support sys-
tems are designed and controlled, and Information Tech-
nology (IT), where the information systems are built and
run (see Figure 3).
Two opposite forces make this interactive system work:
1) Pull. The organization controls the quality of the In-
formation Support, based upon requirements that follow
directly from the information demand of the primary Busi-
ness activities. In addition, other supporting (Business) ac-
tivities also influence the demand for information. The IM
domain acts as the next link in the chain from the Business
domain perspective.
2) Push. Based on both possibilities and impossibilities,
and problems from the IT domain, the organization adjusts
the set-up of the Information Support.
Another widely used management paradigm (Planning
and Control) explains that in each domain we should al-
ways have Strategic, Tactical and Operational levels of
management (see Figure 4).
This also supports an interactive system based upon two
opposite forces:
1) Pull (top-down). Strategic plans and goals are speci-
fied at a tactical level and realized at an operational level.
But plans and goals can be adjusted, market forces can re-
quire adjustments, new partnerships can lead to new goals,
new ruling can require new preconditions, and each of these
will have its effect downstream towards the operational level.
2) Push (bottom-up). The organization adjusts objectives
and goals by evaluating the realization processes, adding op-
erational experiences to the decision processes. Again this will
show both the new possibilities as well as the impossibilities
and problems that an organization will run into.
Combining the views described above results in a 3x3
model for managing Business, Information and Technol-
ogy, as expressed in the SAME Model (see Figure 5).
The SAME model can be used as the "basic pattern" for
managing Information Support issues in organizations. It
still describes the responsibility and process elements, but
once we understand the structure of this 3x3 matrix, we can
use it to tackle organizational issues. Issues that can be ad-
dressed include:
The organization of the Information Support. This
deals with effectivity and efficiency:
- Setting up responsibilities, role descriptions and
RACI (Responsible, Accountable, Consulted, Informed)
matrices in the Information Management domain, and allo-
cating these to the various cells of the 3x3 matrix.
- Decisions on outsourcing of one or more activities
or functions, once they are understood and positioned in
the 3x3 matrix.
8 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
- Setting up the control organization for the management
of outsourced activities or functions, managing external sup-
pliers, setting up agreements, creating reporting policies.
- Auditing the organization.
Cross-references. Positioning and scoping of exist-
ing management frameworks, finding white spots in the
management system.
Process models. Allocating processes to specific man-
agement levels or domains, setting up process models based
on the given interactions between cells in the 3x3 model, com-
pleting process models based on the 3x3 model interactions.
Although the model can be used to tackle lots of man-
agement issues, it is quite useful as a base for discussing
governance issues. After all, if IT Governance is about the
organization of rights and decisions, we could now focus
on the allocation of these in the 3x3 matrix. The matrix pro-
vides us with a structured model of responsibilities and ac-
tivities. Allocating these to a specific organization actually
comes down to determining your IT Governance system.
Example 1: Organizing the IM Domain
Note that the dimension in the SAME Model is process
(managing Information Support activities, responsibilities,
tasks) and not organization. If we want to apply the com-
mon factors of the above definitions of IT Governance, we
will thus have to allocate the process domains of the SAME
Figure 3: Separation of Concerns in the Information Support Discipline (Van Bon & Hoving [3]).
Figure 4: The Planning and Control Paradigm for Strategy, Tactics and Operations (Van Bon & Hoving [3]).
UPGRADE Vol. IX, No. 1, February 2008 9
IT Governance
model to an organizational structure. We can do this by tak-
ing the organizational dimension as an overlay over the proc-
ess dimension in the SAME model. And since organiza-
tions tend to differ in their organizational models, we can
find many different solutions for that. A few simple exam-
ples for the organizational allocation of Information Sup-
port responsibilities are described in Figure 6.
This highlights the question of where the responsibility
for IM and IT is positioned in the organization, which typi-
cally is an IT governance issue. Basically this comes down
to a question of where the IM domain is positioned:
a) Stuck-in-the-middle. IM is positioned at equal distance
from the Business and the IT domain, in many instances em-
blematic for organizations trying to implement IM as a liaison
function. The result is fairly often an IM function "stuck in the
middle": missionaries talking to a brick wall at the Business
side, renegades for the Technology side, and peacekeeping
troops in the middle, missing a clear identity in their own
mindset. In this scenario, IM will be an independent Demand
Organization, loosely coupled with the Business.
b) As an extension of the IT function. The IM respon-
sibilities of the organization have largely been delegated to
the Technology domain, where the IT services are produced.
Although still often found in practice, this approach is not
recommended: management tends to be expressing itself in
terms of technology, not in terms of Business values. And
the information service provider is now controlling itself,
which leaves the Business vulnerable in its relationships
Figure 5: The Strategic Alignment Model Enhanced (Van Bon & Hoving [3]).
Figure 6: The Position of the Information Management Domain, between Business and Information
Technology in the SAME Model (Akker [4]).
10 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
with suppliers. The organization has set IM at a distance,
making it highly vulnerable to misalignment between Tech-
nology and the Business.
c) As an extension of the Business function. Here,
information is considered to be a Business asset, and the
relationship with Technology can be a contractual one: IT
is a supportive function, to be managed as such, and con-
ceivably governed via outsourcing. Moreover, IM is a shared
Business responsibility, while IM as a separate function is
only accommodating and stimulating, but never leading. IM
and Business responsibilities are tightly bound and IT can
be regarded as a replaceable commodity, to be provided by
any adequate supplier.
Example 2: Service Contracting
If the Business wants to contract specific information
support, it will contract the IM domain for the provision of
information services. This agreement can be called an In-
formation Services Agreement (ISA).
The IM domain will then have to contract an IT service
providing function, to provide the technology elements of
the information services. That agreement will be between
IM and IT, and can be called an IT Services Agreement
(ITSA), also known as the Service Level Agreement (SLA)
in ITIL (see Figure 7).
Example 3: Organizing a Service Desk
The IM domain will have to provide operational support
for the user in the Business domain. This refers to the func-
tionality and the actual delivery of the agreed information serv-
ices and is aimed at supporting the use of these information
services by the Business. The IT domain will have to provide
Figure 7: Service Contracting in the SAME Model.
Figure 8: Example of an Integrated Service Desk, as an Organizational Layer over the SAME Framework.
UPGRADE Vol. IX, No. 1, February 2008 11
IT Governance
the operational support for the user, under the control of the
IM domain, but the IM domain itself will have to provide the
support for functionality and specification issues.
For both types of support activities a Service Desk unit
may be installed. Instead of creating two separate Service
Desks, an organization may decide to create just one inte-
grated Service Desk (see Figure 8). This Integrated Service
Desk should then be prepared and educated to solve both
information issues as well as IT service issues.
Example 4: Position of Frameworks
An organization wants to use widely accepted frame-
works for its management approach. It already has ITIL V2
largely in place. The organization now considers the adop-
tion of ITIL V3, and wonders whether this will cover the
entire Information Support domain.
The answer is "no". Both ITIL V2 and V3 are largely
located in the Technology domain and cover only some
minor aspects of the IM domain. The organization will have
to adopt additional frameworks to cover the entire Informa-
tion Support domain (see Figure 9).
5 So What Is IT Governance
Based on the previous considerations, a recommendable
definition for IT Governance would be:
"IT Governance is the assigning of accountability and
responsibility and the design of the IT organization, aimed
at an efficient and effective use of IT within the Business
processes, and conforming to internal and external rules."
This definition is built on the following terms:
Accountability: the principle that individuals, organi-
sations and the community are responsible for their actions
Table 2: Examples of Organizational Decision Making Structures (based on [1]).
Decision Making Roles, Groups Description
Executive Board Decision making board of managers
Executive Manager Single decision making person
Business Board Decision making board of managers,
managing a single Business domain
Business Manager Single decision making person, managing
a single Business domain
Unit manager Single decision making person, managing
a single unit, e.g. of an expert domain
IT Board Decision making board of IT involved
managers, usually reinforced with experts
Committee Permanent decision making board of
experts, handling a single expertise,
knowledge domain, area, process of shared
Advisory Board Delivery of input to support decision
Task force Temporarily decision making board of
experts, handling a single task usually of
shared interest
Chief Information Officer Highest ranking decision making manager
in the Information Support domain
IT Manager Highest ranking decision making manager
in the IT domain
Service Manager Decision making representative, managing
a service or service domain on behalf of
the IT department
Employee Empowered employee that is authorized to
take certain (usually process related)

12 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
and may be required to explain them to others.
Responsibility: to be entrusted with or assigned a
duty or charge.
Organizational design: the structure and relations
between departments, the grouping of tasks, and the flow
of work in organizations.
Business Processes: the workflows within a company
and the processes involved in inter-company transactions.
Rules: policies and principles guiding action.
And a recommendable definition of management would be:
"Management is making decisions within a set of as-
signed accountabilities and responsibilities and for a
clearly defined organizational area."
Allocating the responsibilities and rights to an organi-
zational management system, as explained in the above
examples, is typically the kind of issue that is handled in IT
Governance. Other issues that IT Governance is concerned
with could be:
Ensure authority and responsibility in IT: How
do I stay in control? Which (in)formal planning and report-
ing shall be required? Who shall determine budgets? Shall
we have a centralized or a distributed organization?
Ensure IT complies with regulatory authorities:
Which body shall consider the relevant and required regu-
lations and certifications? How shall risks be managed?
Ensure IT is organized and ready for change: How
shall the IM and the IT organizations be organized? Hierar-
chy, project-based, flat, team-based, etc? Which remunera-
tion policies shall be applied? Bonus rules, performance
related salaries, variable salaries, annual raise, etc? How
shall competences be managed and developed?
Ensure IT is aligned to fit Business/organizational
Figure 9: An Example of Positioning Management Frameworks in the SAME Framework.
Direct Monitor
Pol ici es
Accountabi li ty
Responsibil ity
Performance of ICT
Conformance of ICT
Conformance Performance
IT Projects IT Operations
Direct Monitor
Pol ici es
Accountabi li ty
Responsibil ity
Performance of ICT
Conformance of ICT
Conformance Performance
IT Projects IT Operations
Figure 10: AS8015, Corporate Governance of Information and Communication Technology.
UPGRADE Vol. IX, No. 1, February 2008 13
IT Governance
needs: How shall an optimal fit between IT and Business
be realized? How do we deal with SLAs and service cata-
logues? Who decides on Service Levels?
Ensure IT delivers value for money: How shall
performance be measured? Shall IT performance be
benchmarked? Which cost model shall be applied?
IT Governance can also be concerned with issues like
Leadership, Culture, Risk management, Policies and pro-
cedures, Financial management, IT architecture, Procure-
ment and Sourcing.
6 The Organizational Aspects of IT Governance
If IT Governance is about organizing the decision mak-
ing structures, and the Information Support activities should
then be managed in these structures, the last question would
be: "what organizational structures could be applied in IT
These organizational structures can vary from organi-
zation to organization. Table 2 shows a number of possible
decision making roles or groups:
The elements from Table 2 can now be used to build an
organizations governance structure. A number of control
loops should then be designed to make sure that the frame-
work is a comprehensive system that controls itself. This
means that reporting mechanisms should be added, as well
as communication protocols, policies and standards. When
building this governance framework for your organization,
both aspects of good governance (conformance and per-
formance) should continually be addressed, to make sure
that the system will realize its primary goals. Once com-
pleted, the relevant regulations and standards can be used
to test the system and continual improvement programs can
be planned to enhance the organizations performance.
7 A Standard for IT Governance
As explained before, frameworks like COBIT and ITIL
are management frameworks, not IT Governance frame-
works. This also means that ISO/IEC 20000 also is a man-
agement standard and not a governance standard. There is
only one standard available for IT Governance, which is
the Australian standard AS8015 (see Figure 10). This stand-
ard is currently under investigation by the ISO organization
to see whether it can be adopted or embedded in the ISO/
IEC 20000 standard. If that would happen, the resulting
standard would be a mix of governance and management
The AS8015 indeed contains a number of control loops,
as required. It also emphasizes the basic structures of Con-
formance and Performance. However, it is short on specifi-
cations of the organizational issues that IT Governance
should be about, and instead it deals with quite a few
straightforward management issues.
8 Conclusion
IT Governance basically comes down to the question
"who rules what". Management should then work within
the agreed space. If Management does that correctly, this
will create the desired result: conformance to internal and
external regulations and standards, and optimized perform-
ance for adding value to the stakeholders of the organiza-
tion. The frameworks that are availlable to support this are
largely limited to the Management domain. Even the only
available local standard for IT Governance is largely deal-
ing with Management issues instead of IT Governance is-
sues. It may take a while before a true IT Governance frame-
work will become available.
[1] ITGA. Work from the IT Governance Association, The
Netherlands, not published, 2005.
[2] A.S. Sohal, P. Fitzpatrick. IT governance and manage-
ment in large Australian organizations. International
J ournal of Production Economics, 75, 94-112, 2002.
[3] J . van Bon, W. Hoving. Strategic Alignment Model En-
hanced. BHVB white paper, 2007.
[4] R. Akker. In J . van Bon (ed.). Frameworks for IT Man-
agement, Van Haren Publishing for itSMF, 2006.
[5] P. Weill, J . Ross. IT Governance: How Top Performers
Manage IT for Superior Results, Harvard Business
School Press, 2004. ISBN: 1591392535.
14 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
ITIL V3: The Past and The Future.
The Evolution Of Service Management Philosophy
Troy DuMoulin
Although the contribution made to ITIL (Information Technology Infrastructure Library) by version 3 over version 2
cannot be considered as a radical change in direction, it does represent a step forward towards making ITIL not only a
frame of reference for operational matters but also a valuable IT Governance tool. Rather than rendering the previous
recommendations obsolete, the new version places them within a broader context. This article stresses the importance of
this step forward and describes its most significant implications.
Keywords: Governance, ITIL, Process Integration,
Product Lifecycle, Value Chain.
1 Introduction
It has often been said that the only constant is change!
In the dynamic world we live in, this is true of all organic
things and ITIL(Information Technology Infrastructure
Library) is no different. From its humble beginnings as an
internal UK government initiative, to its growth and adop-
tion as a global best practice and standard for Service Man-
agement, ITIL has taken many steps along the road of
progress and maturity.
The ITIL Refresh Publications & Newsletters published
by the TSO (The Stationery Office) have given us some
interesting insight into the future of IT Service Manage-
ment (ITSM) as documented by ITIL. You will find links to
these documents on Pink Elephants ITIL v3 - Information
Central webpage <>.
It is my view that ITIL v3 is definitely taking a major
step in the right direction. We can observe a glimpse of this
from Table 1 that was published as part of the ITIL Refresh
Newsletter, 1st Edition, Autumn 2006. I would like to call
your attention to that table.
2 Key Evolutions in ITSM
From Table 1, we can identify and interpret some key
evolutions in ITSM Philosophy.
2.1 Alignment vs. Integration
For many years, we have been discussing the topic of
how to align Business and IT objectives. We have done this
from the assumption that while they (business and IT) shared
the same corporate brand, they were somehow two sepa-
rate and very distinct functions.
However, when does the line between the business proc-
ess and its supporting technology begin to fade to a point
where there is no longer a true ability to separate or revert
back to manual options? If you consider banking as an ex-
ample, Financial Management business processes and their
supporting technologies are now so inter-dependent that they
are inseparable. It is due to this growing realization that the
term alignment is being replaced with the concept of inte-
2.2 Value Chain Management vs. Value Service
Network Integration
When reading ITIL v2, you get the perception that the
business and IT relationship is primarily about a business
customer being supported by a single internal IT Service
Provider (Value Chain Management). Little acknowledge-
ment or guidance is provided about the reality of life never
being quite that simple. Todays business and IT relation-
ship for service provision is much more complicated and
complex than the concept of a single provider meeting all
business needs.
We need to consider that yes, there are internal IT func-
tions, but some are found within a business unit structure
where others are providing a shared service model to multi-
ple business units. Add to this the option of using different
external outsourcing options or leveraging software as a
service model and what you end up with is what ITIL v3
refers to as an Integrated Value Service Network.
Troy DuMoulin is Director of Product Strategy and Executive
Consultant at Pink Elephant. He is an experienced Executive
Consultant with a solid and rich background in business process
re-engineering. Troy holds the Management Certificate in ITIL
and has extensive experience in leading Service Management
programs with a regional and global scope. His main focus at
Pink Elephant is to deliver strategic and tactical level consulting
services to clients based upon a demonstrated knowledge of
organizational transformation issues. Troy is a frequent speaker at
ITSM events and is a contributing Author for the ITIL "Planning
to Implement IT Service Management Book." He also works with
ISACA on COBIT v4 development <
UPGRADE Vol. IX, No. 1, February 2008 15
IT Governance
2.3 Linear Service Catalogues vs. Dynamic Service
While ITIL has always been referred to as an IT Service
Management Framework, the primary focus up until now
has been on the ten Service Support and Delivery processes.
In previous versions of ITIL, the concept of a service has
almost been an afterthought or at least something you would
get to later. Consider that in ITIL v2 the process of Service
Level Management has, as one of its many deliverables, a
Service Catalogue which can be summarized from the theory
as a brochure of IT Services where IT publishes the serv-
ices it provides with their default characteristics and at-
tributes or Linear Service Catalogue.
In contrast to this, a Dynamic Service Portfolio can be
interpreted as the product of a strategic process where serv-
ice strategy and design conceive of and create services that
are built and transitioned into the production environment
based on business value. From this point, an actionable serv-
ice catalogue represents the published services and is the
starting point or basis for service operations and ongoing
business engagement. The services documented in this cata-
logue are bundled together into fit-for-purpose offerings
which are then subscribed to as a collection and consumed
by business units.
2.4 Collection Of Integrated Processes vs. Service
Management Lifecycle
Based on publicly available information, we know that
the ITIL v3 core books are structured around a Service
Lifecycle. This new structure organizes the processes we
understand from ITIL v2 with additional content and proc-
esses we are waiting to hear more about within the context
of the life span of IT Services. From this observation, we
can see that the primary focus is shifting from process to IT
Service. While processes are important, they are secondary
and only exist to plan for, deliver and support services. This
moves the importance and profile of the Service Catalogue
from being an accessory of the Service Level Management
process to being the corner stone of ITSM.
As organizations evolve from a technology focus to a
service orientation focus, these core changes to ITIL pro-
vide the context and ability to support this emerging reality.
Table 1: Key Evolutions in ITSM Philosophy.
Business & IT Alignment Business & IT Integration
Value Chain Management Value Service Network Integration
Linear Service Catalogues Dynamic Service Portfolios
Collection of Integrated Processes Service Management Lifecycle

2007. Pink Elephant. All rights reserved. ITILis a Regis-
tered Trade Mark and a Registered Community Trade Mark of the
Office of Government Commerce, and is Registered in the US Pat-
ent and Trademark Office.
16 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
PMBOK and PRINCE 2 for the Management of
ITIL Implementation Projects
Grupo de Metodologas de Gestin de Proyectos of the
itSMF Spain under the coordination of Javier Garca-Arcal
In this article we analyse a compilation of tools and techniques produced by a working group coordinated by itSMF Spain
with a view to providing professionals involved in projects implementing ITIL best practices with a range of project
management tools and techniques (based on PMBOK and PRINCE2 methodologies) to facilitate project management and
ensure a successful implementation of ITIL.
Keywords: Best Practices, CSF, Implementation, ITIL,
ITSMF, PMBOK, PRINCE2, Project Management, Success
Factor, Tools.
1 Introduction
The purpose of this article is to develop and dissemi-
nate tools that will ensure the successful execution of ITIL
implementation projects and help the parties involved meet
the challenge of implementing ITIL.
First we will give a brief explanation of the acronyms
used to refer to these methodologies:
ITIL (Information Technologies Infrastructure Library) is
a set of best practices for the administration and management
of IT services in terms of the people, processes and technol-
ogy employed, developed by the UK government agency, the
OGC (Office of Government Commerce). ITIL provides rec-
ommendations and guidelines for IT management aimed at
achieving alignment between technology and business.
The Project Management Body of Knowledge (PMBOK)
is a compilation of knowledge acquired in project manage-
ment. It belongs to the PMI, Project Management Institute,
whose members are professionals from various fields, such as
law, finance, etc. The PMI encompasses both traditional and
more innovative practices.
PRINCE2, on the other hand, is a structured method of
project management which seeks to develop the organiza-
tion, administration, and control of projects based on project
management best practices.
In order to implement ITIL in an organization or depart-
ment we first need to make a study of potential advantages and
how those advantages can be gained by the end of the project.
The work performed by our group has resulted in an eminently
practical approach for ITIL implementation projects.
2 Work Methodology
A work methodology based on brainstorming was de-
signed and it was decided to apply decomposition techniques
to the analysis of information sources.
In addition to brainstorming, we used information from
PMBOK, PRINCE2, and the ITIL V2 and V3 books, as well
as the know-how of each member of the group.
In the first stage of the work we established the critical
success factors for an ITIL implementation, while in the
second stage we analysed each of the tools and techniques
proposed by PMBOK and PRINCE2 with a view to seeing
just how useful these tools and techniques were for imple-
menting ITIL. In the third stage of our work we considered
how to maximize the usefulness of the results for those in-
volved in ITIL implementations. It was decided to use a
graphical method based on hierarchical relationships simi-
lar to the one used by the metrics group of itSMF Spain [1].
3 Results
We go on to show some of the results obtained from this
study for both PMBOK and PRINCE2. We have explained
the methodology used to obtain results; now we will ex-
plain the content of each "tree" in which these results are
represented, and show how to use these trees to extract prac-
tical and useful information for the management of ITIL
implementation projects.
Grupo de Metodologas de Gestin de Proyectos (Project
Management Methodologies Group) of the itSMF (IT Service
Management Forum) is a multidisciplinary working group which
was convened following a directive from the standards
committee of itSMF Spain to create a line of research into project
management methodologies applied to the management of ITIL
implementation projects. It is coordinated by Javier Garca-Arcal.
Javier Garca-Arcal is a Doctor of Engineering by the Univer-
sidad Politcnica de Madrid. He works as a consulting mana-
ger at IT Deusto and as a lecturer in Project Management at the
Escuela Tcnica de Ingeniera Informtica and at the Escuela
de Ingeniera Tcnica Industrial of the Universidad Antonio de
Nebrija. He has collaborated in the review of the books ITIL V3
Service Operation and Fundamentos en ITIL V2. J avier has
pursued his career in process consulting, defining ITIL processes
for major multinationals in the Consulting, Retail, Telephony,
and Public Administrations sectors. He has worked in twelve
countries in IT Governance coordination, administration, and
project management, in software development in IT departments
of various consulting firms (Secuenzia, Citi Technologies, etc.),
and in service companies such as Sermicro, and multinationals
such as Chep and Telefnica I+D <>.
UPGRADE Vol. IX, No. 1, February 2008 17
IT Governance
The analysis of the trees can be performed bottom-up,
from the tool to be used to the CSF (Critical Success Fac-
tor) on which it impacts, or top-down, from the CSF that
we want to improve/reach to the tools. The top-down method
will be used to give greater emphasis to the tools used and
to make it easier to trace the process through the tree. As we
can see, level 1 is the CSF itself which in turn is related to
all the PMBOK stages forming level 2 of the tree.
Each PMBOK stage has a number of activities which
may have or suffer from some degree of dependence with
the CSF which it is evaluating. Only those activities which,
in the course of our work, have been seen to contribute added
value in the achievement of the CSF in question will appear
on the tree. These activities comprise level 3 of the tree.
Finally, on level 4 will be all the tools, techniques, inputs
and/or outputs related to a PMBOK activity which is useful
to the CSF and may also contribute to the success of the
Figure 1: Tree for PMBOK-CSF 10 Having the necessary resources and budget.
Figure 2: RACI Matrix.
18 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
Figure 3: Work Breakdown Structure.
Figure 4: Pareto Diagram.
Therefore, if we wish a certain CSF to be achieved, we
can use the tools that figure in the tree, concentrating on
those that are easier to use in our project or those that most
benefit our project.
If we apply this analysis to CSF 10, "Having the neces-
sary resources and budget", the purpose of which is to en-
sure that the team carrying out the project has all the re-
sources necessary to complete it successfully, we get the
tree shown in Figure 1. To achieve this CSF the following
tools can be used, among others: RACI, WBS, and Pareto
The horizontal rows of the RACI matrix set out in Fig-
ure 2 show project activities while the vertical columns rep-
resent all the people involved in the project. The idea is to
obtain detailed knowledge of each persons degree of in-
volvement in each activity and this is done by assigning
each person a role in each task he or she is involved in. The
roles defined for a RACI matrix are:
The WBS or Work Breakdown Structure shows how
project outcomes are subdivided into work packages (see
Figure 3). This representation provides us with a clear idea
of what outcomes the project will produce.
The last tool that can be used to achieve this CSF is the
Pareto Diagram, which is designed to show any defects that
have been produced by grouping them together according to
their origin/cause (see Figure 4). This technique allows us to
identify potential deviations in the success of the project be-
fore they occur, or as soon as possible after they appear.
UPGRADE Vol. IX, No. 1, February 2008 19
IT Governance
Figure 5: Tree for PMBOK-CSF 5 Project closeout and transfer.
Figure 6: RBS, Risk Breakdown Structure.
20 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
Figure 7: Diagram SWOT.
In Figure 5 shows the tree for the PMBOK correspond-
ing to CSF5, "Project closeout and transfer", which is about
closing the project in the best possible manner. To increase
the effectiveness of this CSF the following tools can be used,
among others: Communications Management Plan, RBS,
SWOT, and even the Pareto diagrams mentioned earlier.
The Communications Management Plan contains all
the information deemed necessary to ensure that the project
stakeholders can perform their functions efficiently. This
information includes: distribution frequency, format, respon-
sibility, purpose of information, etc. Meanwhile RBS (Risk
Breakdown Structure), an example of which can be seen in
Figure 6, is a hierarchical description of project risks of the
project, identified and organized by risk category and
subcategory, which pinpoints various areas of risk and po-
tential causes.
The SWOT (Strengths, Weaknesses, Opportunities, and
Threats) diagram helps us analyse these factors by provid-
ing the answers to the questions posed in Figure 7.
We go on to describe two CSFs and how they relate to
Figure 8. Tree for PRINCE2-CSF 2 Highlight, communicate and maintaining business alignment.
UPGRADE Vol. IX, No. 1, February 2008 21
IT Governance
Figure 9: Gantt Diagram.
PRINCE2 methodology.
Figure 8 shows the tree for PRINCE2 corresponding to
CSF 2, "Highlight, communicate and maintaining business
alignment", which is about adopting a number of measures
to deliver value to business through ITIL implementation.
This tree focuses on the following tools/techniques: Project
Initiation Document or PID, Gantt diagrams, baseline, les-
sons learned file, and configuration item report.
The Project Initiation Document, or PID, establishes
the reference terms of the project, project role definitions,
and a communication plan in order to ensure that the ap-
proach, work plan, functions, and scope are clear. A well
put together PID lends visibility to the project while main-
taining business alignment.
The Gantt diagram (seeFigure 9) is a graphical tool
for showing expected time dedication for the different tasks
or activities over a given total time period. In spite of the
fact that, in principle, a Gantt diagram does not show rela-
tionships between activities, the position of each task over
time makes it possible to identify these relationships and
A baseline is a way to store project-related information
such as starting dates, costs or resources so as to be able to
compare interim adjustments with the initial schedule or
budget and so measure the degree of progress of the project.
The lessons learned file contains previous project man-
agement resolutions while configuration item reports keep
version control of the elements and processes being imple-
mented so as to be able to align them with business and
keep track of which versions are current.
Finally we will take a look at CSF 10, "Having the nec-
essary resources and budget" as it relates to PRINCE2 meth-
As can be seen in Figure 10, to achieve this CSF the
following tools may be used: business case, matrix role-
responsibility and matrix role-competency.
Business case consists of ensuring that there is an ap-
propriate balance between revenues and resource costs,
based on expected return on project parameters for each
company or entity. This will include the following content,
among other: information on revenues such as invoicing
and collection schedule, all sources of expected income,
etc., and information on costs; for example, contingency
risks, internal and external costs.
The purpose of the role-responsibility matrix is to en-
sure that the responsibilities and competencies needed for
the proper performance of each role in the project are ap-
propriately defined. In order to build this matrix we need a
general list of applicable roles, responsibilities for each role,
and competencies for each role. By using the matrix we can
obtain a detailed definition of responsibilities and compe-
tencies, with the expected degree of competency required
by each role, which provides the organization with a cata-
logue of the resources required by the project.
The role-competency matrix provides the organization
with information on project resource requirements in terms
of responsibilities and competencies, and on how appropri-
ate those resources are to the needs of the project. Based on
a project-specific role-responsibility matrix we can build
other matrices with the following information:
Role-candidate resource matrix, with the candi-
date resources for each role and a comparison of require-
ment compliance for each candidate.
Role-allocated resource matrix, containing the
name of the resource for each role and the degree of re-
quirement compliance for each role.
General gap between roles-responsibilities-com-
petencies and the baseline resource evolution plan.
4 Conclusions
In the journey from a theoretical model of ITIL best
practices to the proper integration of that model into the
processes and culture of the business organization, the
implementation stage is all important. This is why we need
project management to control and coordinate project ac-
tivities within the pre-established constraints of time, cost
and resources. We can consider each ITIL process as a
project or, conversely, all ITIL processes as a single project.
Our research into Critical Success Factors (CSF) for
ITIL implementation and how they relate to the processes
and tools of the two methodologies we have compared,
PRINCE2 and PMBOK, defines a number of specific proc-
esses and techniques in each methodology for the achieve-
ment of those CSF and, therefore, for the successful imple-
mentation of ITIL processes. An inappropriate approach to
project management is one of the main reasons for the fail-
ure of ITIL implementations in organizations.
I would like to thank Luis Morn, Mona Biegstraaten and
Marlon Molina (coordinators of the standards, marketing, and
publications committees of itSMF Spain) for their support and
encouragement during this work, and thanks also go to the
members of the Grupo de Metodologas de Gestin de
Proyectos (Project Management Methodologies Group):
Juan Carlos Vigo, ATI <>.
Eduardo Prida, AUSAPE <>.
22 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
David Aguilera, SERMICRO <>.
Nicoletta Calamita, MORSE <>.
Eva Linares Pileno, STERIA <>.
Rafael de la Torre, QINT <>.
Julio Cesar Alvarez, STERIA <>.
Ramn Batista Berroteran, SERMICRO <>.
Rafael Pastor, ACCENTURE
Ins Lpez Alvarez, SERMICRO <>.
Ana Rengel Baralo, IT DEUSTO <>.
[1] A. Garca-Almuzara, J. Garca-Arcal, F. Alcedo. Estudios
de mtricas ITIL-COBIT para Gestin de Configuracin
y Gestin de Cambios. In: ITSMF. 1st Annual itSMF Spain
Congress, Madrid, November 26, 2006.
R. Bovee, M. Ruwaard. Operations Management, a new
process. Second edition, April 2004. Nederland.
Mansystems, 2004. 89 pages. ISBN 90-440-0201-5.
J. Garca-Arcal, O. Ruano, J.A. Maestro. "PRINCE2 vs.
PMBOK". In: Universidad Antonio Nebrija. LS5168
Gestin de Proyectos Tecnolgicos, Madrid, June 21,
IT Governance Institute. COBIT 4.1. Rolling Meadows,
USA: IT Governance Institute, 2007.196 pages. ISBN 1-
Office of Government Commerce. ITIL Service Deliv-
ery. 2nd Version. United Kingdom: The Stationery Of-
fice Books, 2001. 300 pages. ISBN 978-011-330017-4.
Office of Government Commerce. ITIL Service Support.
2nd Version. United Kingdom: The Stationery Office
Books, 2001. 300 pages. ISBN 978-011-330017-4.
Office of Government Commerce. Managing Successful
Projects with PRINCE2. 4th edition. United Kingdom:The
Stationery Office, 2005. 456 pages. ISBN 0113309465.
Project Management Institute. A Guide to the Project
Management Body of Knowledge (PMBoK Guide, 3rd
Edition). PMI, 2004. ISBN: 1-930699-50-6.
S. Taylor, D. Cannon, D. Whelldon. ITIL Service Opera-
tion. 3rd Version. United Kingdom: The Stationery Of-
fice, 2007. 263 pages. ISBN 978-0-11-331046-3.
S. Taylor, G. Case, G. Spalding. ITIL Continual Service
Improvement. 3rd. Version. United Kingdom: The Sta-
tionery Office Books, 2007. 221 pages. ISBN 978-0-11-
S. Taylor, S. Lacy, I. Macfarlane. ITIL Service Transi-
tion. 3rd. Version. United Kingdom: The Stationery Of-
fice Books, 2007. 261 pages. ISBN 978-0-11-331048-7.
S. Taylor, V. Lloyd, C. Rudd. ITIL Service Design. 3rd.
Version. United Kingdom: The Stationery Office Books,
2007. 334 pages. ISBN 978-0-11-331047-0.
S. Taylor, M. Lobal, M. Nieves. ITIL Service Strategy.
3rd. Version. United Kingdom: The Stationery Office
Books, 2007. 264 pages. ISBN 978-0-11-331045-6.
Figure 10: Tree for PRINCE2-CSF 10 Having the necessary resources and budget.
UPGRADE Vol. IX, No. 1, February 2008 23
IT Governance
Business Intelligence Governance, Closing the IT/Business Gap
Jorge Fernndez-Gonzlez
The need of IT departments to create value for their organizations business has given rise to a large number of tools (IT
Governance), which to a greater or lesser extent have been closing the gap between IT and Business, but have failed when
applied to Business Intelligence systems. This article demonstrates the need to create a dedicated BI Governance struc-
ture over and above IT Governance, a structure based on agility, versatility, and human relations which is specifically
designed to provide information to decision makers.
Keywords: Business Intelligence, Decision-making, IT/
Business Gap, IT Governance, Value.
1 Introduction
When I was in my teens people used to ask me about
whether I intended to study "science" or "arts". The ques-
tion always irritated me, so I would put on my most serious
expression and answer that I did not understand the ques-
tion because the "love of knowledge" (i.e. philosophy) had
never made any such distinction. I am similarly irritated
when people ask me whether I am an IT or a business con-
sultant. Once again, I cannot see the difference.
In this article I will be looking into how we can govern
our decision-making support systems, and we will also see
how it is impossible to separate "Business" from "IT" in
this context.
2 Defining Concepts
Figure 1, adapted from Webb, Pollard & Ridley [2],
shows how the BI Governance concept has evolved.
BI Governance is rooted in corporate governance, which
established the first practices of strategic management, risk
management, performance management, plans and controls,
and in the strategic plans of information systems, while
Executive Information Systems (EIS) and Decision Sup-
port Systems provided the basis for the creation of Busi-
ness Intelligence as we know it today.
Controlling the organization and controlling informa-
tion systems are two sides of the same coin which converge
in BI Governance.
But before going on, we should first define the two key
areas of influence that converge to produce Business Intel-
ligence Governance: Business Intelligence, and IT Govern-
2.1 What is Business Intelligence?
Business Intelligence (BI) is a somewhat ambiguous term
encompassing a number of different acronyms, tools, and
disciplines: OLAP, Datawarehousing, Datamarts,
Jorge Fernndez-Gonzlez graduated as an Informatics
Engineer from the Facultad de Informtica de Barcelona (UPC)
and is currently pursuing his doctorate in Software, specializing
in Information Systems, at the same university. He divides his
professional time between three activities. First and foremost
he works as an information systems professional as Director of
Business Intelligence Consulting at Abast Solutions, a company
operating nationwide. Here he has worked in several different
areas of consulting in the companys ERP, CRM, and R&D
departments while helping with the implementation of tailored
solutions. The second of his activities is university lecturing.
He is currently lecturing in the LSI department (Department of
Languages and Informatics Systems) of UPC (Universitat
Politcnica de Catalunya) and he is responsible for the subject
"Information Systems for Organizations" offered by the Facul-
tad de Informtica de Barcelona. He has also been a
collaborating lecturer at UOC (Universitat Oberta de Catalunya),
a lecturer for master and postgraduate studies at the Fundacin
Politcnica, and delivers lectures as a guest lecturer at business
schools such as ESADE and EAE. He combines the above two
activities with his work as a disseminator. He forms part of the
editorial teamof the journal Gestin del Rendimiento (Performance
Management), he writes articles for the journal DATA.TI (formerly
Datamation), he delivers conferences and seminars, and he writes
in various Internet portals and thematic blogs, including his own
blog <>dedicated to
decisional systems <>.
Figure 1: Evolution of BI Governance.
24 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
Datamining, Executive Information Systems, Decision Sup-
port Systems, Neural Networks, Expert Systems, Balanced
Scorecards, and many others. It is impossible to give an
exact definition of all the terms under the Business Intelli-
gence. Some authors [1] have gone as far as calling it a
The multifaceted and diverse fauna inhabiting this jun-
gle have three characteristics in common.
The first is that they provide information for controlling
the business process, regardless of where the information is
Obviously, BI forms part of a companys information
system, which is what controls the proper functioning of
the processes performed in the company.
In a classical organization such as the one shown in
Figure 2, we can see that transformation processes are af-
fected by external perturbations, such as changes in the
market, replacement products, new legislation, etc., which
must be controlled and corrected. And we all know that over
time systems tend toward disorganization and chaos. This
is why the measurement of performance indicators and their
comparison against the organizations objectives is the best
way to find out if something is going wrong in our organi-
Processes generate and consume information as they are
being performed. Part of that information (what we call
operational information) is consumed in the short term, but
a large proportion is stored in various transactional systems
(ERP, CRM, SCM, etc.) until it can be used for tactical (me-
dium-term) and/or strategic (long-term) decision-making.
Grouping this information and putting it at the disposal
of the process control system in a timely manner, regard-
less of which operational system it may have originated in,
will help us optimize our processes, whether they are of an
operational, tactical, or strategic nature. Obviously the level
of aggregation and standardization of heterogeneous data
sources will be higher for processes of a decisional nature,
and it is precisely this decisional nature that gives a new
dimension to the definition of Business Intelligence: deci-
sion-making support is the second and most important of
the three characteristics that all components of Business
Intelligence have in common.
BI does not only present information but it makes it
possible for that information to be managed and browsed to
enable us to analyse causes. Analysis is fundamental to de-
cision-making. Decisions are not made on the basis of a
single source of information. Various sources of informa-
tion are weighed up, interrelated; you might say that the
information is "alive". The analysability of information is
what enables us to make better business decisions.
We cannot make business decisions if we do not talk the
language of business. Regardless of where the information
is stored and how it may have been transformed or aggre-
gated, the important thing is to deliver this information to
business users in a language that they understand, are com-
fortable with, and which needs no interpretation for them to
understand it. And this is the third characteristic of BI: in-
formation oriented towards the language of business users.
In this way their work is made easier and the decision-mak-
ing required to improve processes and gain a competitive
edge in the market is speeded up.
We might therefore define Business Intelligence as the
system which provides us with the information required to
control processes, and the information used by business
Figure 2: Organization as a System.
UPGRADE Vol. IX, No. 1, February 2008 25
IT Governance
users for the purpose of decision-making.
Perhaps the most important characteristic of BI, one
which will shape the need for BI Governance in the future,
is that it is focused on enabling business users to make de-
cisions with semantically appropriate information. We are
not talking about either data or IT; we are talking about
business and information users.
2.2 What is IT Governance?
Once again the definition of IT Governance is by no means
clear. Some authors[2] define it as a subset of Corporate Gov-
ernance focused on the alignment of IT objectives with busi-
ness objectives. The IT Governance Institute[3] agrees with
this definition and expands on it by including the relevant proc-
esses and organizational structures and appropriate leadership
as additional requisites. This definition is complemented by
Grembergen et al. [4] who focus their definition on the four
key issues of IT Governance:
Strategic alignment between IT and Business.
Delivery of value to business through IT.
Risk management.
Performance management.
These four issues are sometimes complemented by a fifth
Control of accounts.
Finally, we might define IT Governance as the strategic
alignment of IT with business in such a way as to deliver
the maximum business value through the development and
maintenance of effective IT controls aimed at controlling
accounts, performance management, and risk management.
IT Governance builds a great many bridges between
business processes and IT processes in an attempt to achieve
this objective. The mishmash of standards is growing in
number and scope as they try to cover more processes, more
indicators, more operations until their full application would
take a lifetime to complete.
Figure 3 from Larsen et al [5] shows 17 types of current
standards and best practice systems for aligning IT and busi-
ness objectives.
Here is not the place to discuss the success of these tools
and the improvement that they have brought to support proc-
esses and the core business of our organizations, but in terms
of helping the decision-making process, when applied to
Business Intelligence systems these IT Governance tools
suffer from a number of shortcomings. When it comes to
supporting decisional processes, these tools narrow, but fail
to close, the IT/Business gap. The gap is so wide that initia-
tives of this nature, which are focused on and aimed at IT,
do not achieve their objective. Let us see why not.
3 Why IT Governance Tools Fail when Applied to
Business Intelligence
One of the main shortcomings that we who have spent
our professional lives in IT departments have is that recently
we have spent too much time contemplating our navels. We
have gone from being managers of IT departments that per-
formed a kind of troubleshooting service to finding our-
selves in a state of functional maturity in which we are ex-
pected to be service oriented (see Figure 4). But that last,
vital step to delivering value to the company, in which the
IT department must embrace decisional systems and Busi-
ness Intelligence, is precisely the one we have been unable
to take, perhaps because now we think we are so very im-
portant to the business.
Figure 3: Classification of IT Governance Tools.
26 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
We look at ourselves and say: Look how well were
performing! Look how many standards we have, how many
best practices! And we stare at our navels as if we are going
to get business value from there. We have become a kind of
"enlightened despotism"; everything for business but with-
out the business.
3.1 IT-focused
The first mistake we make is to model our IT Govern-
ance tools from our IT point of view; we talk IT, our start-
ing point is IT, and we design for IT. In fact the semantics
are wrong from the outset.
We talk about IT (Information Technologies) instead of
talking about IS (Information Systems). Business never talks
techno-speak, it talks the language of business, and the only
thing we should be providing is information so that manag-
ers can make better decisions. We are their Information
System, from a transactional or decisional point of view,
and from an operational, tactical, or strategic perspective.
We only provide information to make better decisions that
will give the company a competitive edge and so create
enterprise value (see Figure 5).
If we look at decision-making processes and one of the
IT Governance tools, we continue to combine information
with technology as if they were one and the same thing, as
if the technology were important. Technology changes con-
stantly; it is a means of delivering information to business,
never an end in itself.
Fortunately some authors are beginning to coin new
terms. Charlie Betzya has begun to speak of BISM [7] (Busi-
ness Information Services Management), rendering the term
IT Services obsolete and replacing it with Business Infor-
mation Services. Top professionals [8] are already adopt-
ing this new terminology, which is definitely a step in the
right direction.
3.2 Structure-focused
IT departments are used to structuring information. Since
the beginning of IT we have worked at improving produc-
tivity and systems of an operational, day-to-day, short-term
nature. This, together with our scientific training, makes us
very structured; we want to define all processes and control
them as much as we can. The problem arises when we have
to deal with decisional systems which are, by definition,
Figure 4: Evolution of the Management of IT Departments (adapted from A. Valle [6]).
Figure 5: Creation of Value from Information Systems.
UPGRADE Vol. IX, No. 1, February 2008 27
IT Governance
semi-structured systems that enable us to analyse infor-
mation. There is extensive literature on EIS (Executive In-
formation Systems) and DSS (Decision Support Systems)
which explains how we should semi-structure information
to make it a versatile decision-making tool.
In short, the focus is on creating roles and responsibili-
ties, rigid hierarchical structures, definitions of processes
and system plans, all under level of service agreements. Such
a bureaucracy is valid for operational systems but is not
appropriate for decisional systems, which need to provide
an agile response to the ever changing questions raised by
So what happens when we try to structure a semi-struc-
tured system? We end up straight-jacketing it and making it
rigid, and therefore useless.
3.3 Based on General Hypotheses
The various IT Governance tools are structured around
a great many hypotheses which we never consider. For ex-
ample, if we look at COBIT, which is one of the most widely
implemented and decision-making oriented tools, we find
that it features "34 control objectives that have been devel-
oped from 41 international source documents and have been
validated to balance IT risk against investment in IT con-
What does this mean? That when it was designed, a large
number of decisions were made about cases of an entirely
international nature, with very little in common with, say, a
Spanish or Russian SME. Control objectives were defined
based on a series of hypotheses that are not always applica-
ble. Are those 34 objectives really applicable to my enter-
prise? Would some of the objectives that were left out have
been really useful to me in a smaller and more competitive
business environment? Who can know? Obviously the an-
swer to these questions is not only to be found on the IT
side; it also lies on the business side of each particular or-
3.4Not People-focused
It is people who make the decisions in an organization.
It is people who actually perform, control, and decide on
processes, and it is businesspeople who deliver value to the
company with their decisions. However, all current IT Gov-
ernance tools maintain the IT/Business gap. They are fo-
cused on continuing to manage structures and processes,
and this alone will not close the gap. We need effective
mechanisms to foster relations between people in the or-
ganization. We need to focus on people.
There are authors who are already aware of this fact. De
Haes and Van Grember [10] are convinced that if IT Gov-
ernance is to be a success, we need to add a third compo-
nent to our old friends, "structures" and "processes"; this
component is none other than "relational mechanisms" (see
Table 1).
The mechanisms that will ensure the active participa-
tion and collaboration of key users and mixed Business and
IT interdisciplinary teams are those that will ensure that the
Business/IT gap is finally closed. And they are the founda-
tions on which we will build BI Governance.
3.5 CIO Led
The following example of organizational structure (see
Figure 6) shows the present day situation of CIOs (Chief
Information Officers) within organizations.
The CIO has always had a hard time rising above the
Financial Director or Director of Organization and Systems
in a companys organizational hierarchy. And for many years
this position has become the "champion of the cause of IT
departments". We need to be where the decisions are made
so we can help provide information. This is why we have
fought so hard to get our "white knight" (half technologist,
half businessman, and always a great public relations pro-
fessional) onto the management committee, reporting di-
rectly to the CEO (Chief Executive Officer or Managing
Director) and to no one else. And we are happy with what
we have achieved.
And we have structured all our IT Governance around
this champion who, when we address the need to govern
our decision-making systems, becomes a real bottleneck
which prevents us from narrowing the IT/Business gap.
Everything must go through him/her, and (s)he is responsi-
ble for converting business objectives into specific IT ob-
jectives which once set are controlled exclusively by the IT
Another crass mistake: we should not be happy with
merely having a representative at the top level management
Table 1: Structures, Process and Relational Mechanisms for Implementing IT Governance (De Haes and
Van Grembergen [10] based on Peterson [11]).
28 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
committee so that decisions are made top-down. If we are
going to close this gap, the next step is to have a representa-
tive at all levels at which decisions are made; not only at the
top but also at tactical and operational levels, until IT struc-
ture is efficiently interlinked with business structure. At that
moment, when we can no longer tell the difference between
the two structures, we will have bridged the IT/Business
gap once and for all.
4 Definition of BI Governance
There have been few attempts to define BI Governance.
Most of the time it has been left to readers to interpret what-
ever they saw fit, while the benefits of BI Governance have
been talked up from a commercial point of view.
In the white paper "Top 10 Trends in Business Intelli-
gence for 2007"[12], the number one trend is precisely "BI
Governance" However, it is half-heartedly defined as the
structure which ensures the effectiveness of BI programmes
and investment.
No Gutierrez [13] describes it as being based on three
Prioritization of projects.
Guidelines, rules, and recommendations.
Roles and responsibilities.
Beth Leonard [14] goes a step further and delivers a
clear message that we should not stop at simply setting up
control mechanisms, but rather we should extend BI Gov-
ernance by means of partnerships in the immediate envi-
ronment. BI Governance should have a clear strategic vi-
sion (such as the one that led to COBIT), but it should also
have common tactical boundaries of responsibility shared
between IT and business units.
But in my opinion, Larson and Matney [15] are the au-
thors who best define the concept of BI Governance:
BI Governance is the process of defining and imple-
menting infrastructure that will support enterprise goals. It
is the joint property of information technologies and the
various business units, and is responsible for steering the
strategic process of delivering the value of Business Intelli-
gence in the enterprise.
The mention of joint property and delivery of value
makes this the best definition of BI Governance.
All the authors [12][13][14][15] are working on defin-
ing the components that should make up a BI Governance
framework, but first we need to define the values on which
that framework should be built, to avoid making the same
mistakes as we made with IT Governance.
5 Basic Values of BI Governance
As Brousseau et al. say [16]: The job of a manager is,
above all, to make decisions. At any moment in any day,
most executives are engaged in some aspect of decision-
making: exchanging information, reviewing data, coming
up with ideas, evaluating alternatives, implementing direc-
tives, following up.
However, there are different types of decision-making.
How much information do we need to consult before
making a decision? All there is? Only some of it just to get
an idea? Exhaustive and corroborated or just enough to make
a hypothesis? Do you only keep one objective in mind when
making a decision? A single straight path, with a clear ob-
jective? Can your decision be valid for meeting several dif-
ferent objectives? Or do you explore a number of paths that
are not entirely clear but which may still meet your needs?
The answers to all these questions vary according to each
individual and his or her experience in decision-making
The four values that a BI Governance system must have
to be able to meet these challenges are:
1) Ongoing adaptability. Decisional processes are con-
stantly changing; they are not clearly defined as operational
processes are. Once defined, the way an invoice is proc-
essed will always be the same, but the process of deciding
whether that invoice is to be paid or not will change con-
stantly. We must therefore be capable of adapting speedily
and easily to the information requirements defined for those
2) Teamwork. The IT/Business gap can be bridged by
putting IT and business people into working groups. The
decisional user must play an active role within the IT groups
developing BI systems. The initiatives generated by team-
work, the interdisciplinary process monitoring groups, and
the joint BI system review sessions, must be a routine part
of work if we want to achieve BI Governance.
3) Flexible hierarchies. BI Governance working groups
must be structured with flexible hierarchies to encourage
information exchange. Working groups will be structured
according to each function and will take on different roles
depending on the project involved. The aim is for hierar-
chies already existing in organizations to be constantly bro-
ken down and restructured under BI Governance, to avoid
the CIO bottleneck.
Figure 6: IT Governance Structure (Park et al[12]).
UPGRADE Vol. IX, No. 1, February 2008 29
IT Governance
4) People before processes. People make decisions; proc-
esses are controlled. We need to focus on providing infor-
mation to the people who control processes, and pay less
attention to defining the processes needed to control the
people, since in Business Intelligence systems these
decisional processes are so variable it is not viable to fully
model them.
6 BI Governance Framework
Now we have defined the values underlying BI Gov-
ernance, we can go on to structure the 4 components that
will make up our framework [14] (see Figure 7).
6.1 Guiding Principles
The guiding principles of BI Governance are the pillars
upon which the entire structure rests. They define the over-
all vision of the programme and the approval criteria for BI
initiatives and projects. Each organization should define
its own principles, but always based on the 4 values of BI
Examples of principles are:
BI must make users self-sufficient in terms of infor-
mation acquisition
BI must ensure that data is managed as a business
asset, in an integrated, standardized, and shared manner,
and that it must be reused across the various business func-
BI must ensure that there is a single version of cor-
porate "truth"
6.2 Decision-Making Bodies
Decision-making bodies identify who make decisions
within the scope of BI. The members of decision-making
bodies should consider individual functional areas and the
organization as a whole in order to provide a balanced and
ongoing vision of the real needs of the enterprise. These
bodies should provide communication and feedback chan-
nels. BI Governance decision-making bodies should always
be made up of a mixture of business and IT people.
Examples of decision-making bodies are:
BI Governance Committee. Responsible for project
management, prioritization, and BI/Business alignment.
Business Intelligence Competency Centre. A perma-
nent interdisciplinary team to safeguard the effective use of
BI tools.
The names and functions will vary according to the needs
of each organization. However, these decision-making bod-
ies must be structured in such a way as to encourage flex-
ible hierarchies and teamwork.
6.3 Decision Areas
These are responsible for identifying how decisions are
to be made and by whom, who has the right to make them,
and who is to be responsible for their management.
Examples of decision areas are:
Investment in BI.
Portfolio of BI applications.
Status of BI implementations.
Adoption of BI.
Delivery of value.
Generally speaking the agenda of the Decision-Making
bodies is decided by the Decision Areas.
6.4 Governance Mechanisms
These are the processes and procedures required for
applying BI Governance.
Examples of governance mechanisms are:
Definition of the life-cycle of BI projects.
Applications portfolio management.
Business cases and budgets.
Development processes for the various types of BI
Tracking and measurement.
Communication programmes.
Training programmes.
7 Conclusions
We are taking the first faltering steps towards BI Gov-
ernance; there is still a long way to go from the viewpoint
of both researchers and professionals. But before we put
structures of this type in place, the organizations themselves
need to mature.
Any attempt to implement BI Governance in organiza-
tions that are not oriented towards measurement and serv-
ice, that do not have a team spirit, or suffer from communi-
cation barriers, are doomed to failure.
The question is: Can we allow ourselves to fail? Obvi-
ously not. The success of an enterprise depends on its com-
petitive edge, and BI Governance provides us with a fast
track to that edge by closing the gap between IT and Busi-
ness once and for all.
And as a final thought: There must be a reason why the
acronym of Business Intelligence Governance is BIG
Figure 7: BI Governance Framework [14].
30 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
[1] David Selby. J ottings from the business intelligence
jungle. Proceedings of the 2002 conference on APL.
[2] P. Webb, C. Pollard, G. Ridley. Attempting to Define
IT Governance: Wisdom or Folly? HICSS06 Volume:
8; pp. 194a.
[3] IT Governance Institute. Board Briefing on IT Gov-
ernance, 2nd edition. Consulted at <www.>and <>on Nov 8,
[4] W. Van Grembergen, S. De Haes, E. Guldentops. Struc-
tures, Processes and Relational Mechanisms for IT
Governance (2004). W. (Ed.) Strategies for Informa-
tion Technology Governance, Idea Group Publishing,
Hershey PA.
[5] M. H. Larsen, M. K. Pedersen, K. Andersen. IT Gov-
ernance: Reviewing 17 IT Governance Tools and Ana-
lysing the Case of Novozymes A/S. HICSS06.
[6] A. Valle. Introduccin a ITIL. Seminar Sistemas de
informacin para organizaciones. FIB-UPC 2007.
[7] C. Betzya. BISM - you (probably) heard it here first.
Consulted at <
10/bismyou-prob.html>on Nov 10, 2007.
[8] A. Valle. Aqu huele a futuro Consulted at <http://>
on Nov 10, 2007.
[9] G. Ridley et al. COBIT and its Utilization: A frame-
work from the literature. HICSS04.
[10] S. De Haes, W. Van Grembergen. IT Governance Struc-
tures, Processes and Relational Mechanisms: Achiev-
ing IT/Business Alignment in a Major Belgian Finan-
cial Group. HICSS05.
[11] R. Peterson. Information strategies and tactics for in-
formation technology governance. In Strategies for in-
formation technology governance, a book edited by
Wim Van Grembergen, Idea Group Publ., 2003. ISBN:
[12] HP- Knightsbridge. Top 10 trends in Business Intelligence
for 2007. Consulted at <
ERC/downloads/4AA1-2492ENA.pdf >on Nov 10,
[13] N. Gutierrez. White paper: Business Intelligence (BI)
Governance. Consulted at <
governance.pdf>on Nov 10, 2007.
[14] B. Leonard. Framing BI Governance. Consulted at
<>on Nov
10, 2007.
[15] D. Larson, D. Matney. The four components of BI
Governance. Consulted at <>on Nov 10, 2007.
[16] Kenneth R. Brousseau, Michael J . Driver, Gary
Hourihan, Rikard Larsson. El estilo de toma de
decisiones de los directivos experimentados. Harvard
Deusto Business Review, May 2006.
UPGRADE Vol. IX, No. 1, February 2008 31
IT Governance
Keywords: Information Technology, IT Strategy, Project
Management, Project Portfolio Management.
1 Introduction
In recent years the management of information technol-
ogy projects has become an important piece of puzzle that
IT directors have to solve as part of their daily activities.
In order to respond to business activity and to market
needs, projects are continually added to, modified on or
eliminated from the list of technology projects to be carried
out. In many cases the increasing number and variety of
projects exceeds the capacity of IT areas to provide re-
sources, shift priorities or adapt infrastructure to changes.
Since the mid 90s the role played by project management
in information technology has grown year after year in response
to this problem. A study by the University of Bremen and the
PMI [1] details how the use of project management has ex-
tended to 86% of IT activities. Another indication of this growth
is the increase in the number of members of project director
associations. Of the 250,000 members represented at high lev-
els in the Project Management Institute (PMI), a large percent-
age come from IT areas.
This increase in the use of project management in IT has
undoubtedly and substantially improved project results. A
Standish Group [2] report that studied 30,000 IT projects shows
there was an evolution between 1994 and 2003, a period in
which it can be seen that the deviations from schedule went
from 222% in 1994 to 63% in 2003 and the cost deviations
from 189% to 49% during the same period. In light of these
results we can conclude that project management has meant
that individual projects and the work associated with them have
improved and that the deviations decrease, even though there
is still much room for improvement.
Despite this relevance, project management has often
been traditionally studied and implemented from an opera-
tional point of view, the unit of analysis being the project
and its measures of success restricted to the classic elements
of scope, time and costs.
In addition to the management of individual projects,
those responsible for IT are faced with the problem of im-
plementing the Information Technology strategy without
carrying out a single project with dedicated resources, but
rather having to manage a set of projects with resources
working in multitask environments. In this they are faced
with three difficulties: managing resources assigned to
projects, managing the interrelations between projects and
the contribution of the projects to the IT strategy.
To resolve these difficulties it is necessary to manage
the set of projects carried out by an organisation as a whole.
With this intention, in recent years, the concept of Project
Portfolio Management (PPM) is being minted. In a recently
published poll [3] taken among 130 people in charge of IT
in the United States, 25% of those surveyed apply in an
optimal way portfolio management techniques, 45% apply
them or are adopting them and 78% apply them, are adopt-
ing them or have plans to adopt them.
A project portfolio is a set of projects that share and
compete for a series of resources and are directed from
within the same organisation. We can consider portfolio man-
agement as a dynamic decision making process in which the
set of projects are evaluated, selected, prioritised and reviewed
in accordance with the contribution to the strategy. In accord-
ance with the principals of PPM, the resources must be as-
signed to the projects in accordance with the strategy.
This movement of project direction towards project port-
folios led the PMI to issue its standard for portfolio man-
agement in 2006. This standard represents a compendium
of the best practices in project portfolio management [4].
An organisation effectively manages its project portfo-
lio when the projects that make up the portfolio fulfil three
IT Project Portfolio Management:
The Strategic Vision of IT Projects
Albert Cubeles-Mrquez
Changes in market demand and in technology have meant that managing IT projects has recently become an authentic
challenge for those responsible for information technologies. This difficulty lies in managing individual as well as group
projects. This last area includes the concept of a project portfolio, a set of projects carried out within an organization and
sharing resources. In recent years portfolio management has proven to be a discipline that allows the value generated by
IT to increase and helps implement strategy through the projects.
Albert Cubeles-Mrquez is currently a tenured professor in the
project area of the Business Engineering School of La Salle (Bar-
celona, Spain) where he is also Director of the Master in Project
Management and Director of the area of the Master in Engineering,
Construction and New Technologies. Since 2005 he has been
Secretary of the Barcelona Chapter of the PMI and he has had
PMP accreditation since 2006 <>.
32 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
They are strategically aligned.
Maximisation of value.
The set of projects is balanced.
2 The Management of Mul ti pl e Proj ects and
Project Portfolio Management
A distinction must be made between managing a set of
projects and managing a portfolio of projects. In many or-
ganisations it is considered that a group of projects make
up a portfolio without taking into account their strategic
In fact, an independent group of projects does not make
up a portfolio, it is only a group of projects that consumes
time and resources. We can manage them as efficiently as
possible, optimising the allocation of resources and
prioritising accordingly.
The project portfolio has a clear strategic focus, the se-
lection and prioritisation must be carried out with a clear
strategic vision. Within the portfolio efficiency is desired
so that each project contributes to the strategy in the best
possible way.
In Table 1 we compare the differences between portfolio
management and the management of multiple projects [5].
Frequently, short term planning of a group of projects is
a response to the inability of management to define strate-
gic vision and objectives or to its ability to fall into political
or organisational disputes (see Figure 1).
Through the creation of project portfolios (see Figure
2) a shared vision is established between all those involved
in managing the projects.
The primary advantages of project portfolio manage-
ment are:
Dynamically aligning IT projects with business ob-
Maximising the return on IT investments.
Making the process of selecting and prioritising
projects transparent for the entire organisation.
Achieving that management, the functional areas and
the IT area speak a common language, share the same view
of the risk and collaborate in the decision making process.
Consolidating and reducing the number of redun-
dant projects and making it easier to avoid unsuitable
Redirecting IT investments from low value projects
to higher value projects.
Allowing those in charge of resources to plan their
allocation more efficiently.
The projects must be prioritized based on their relative
importance and contribution to the strategy. Each project
must also be prioritized relative to other projects evaluated
and to the projects under development. In addition, as the
technical and business environments change, the priority
of one or more projects must also change.
Once the priorities have been clearly defined, those in
Portfolio Management Management of Multiple
Purpose Selection and prioritisation
of projects
Allocation of resources
Focus Strategic Tactical
Planning Medium/Long term Short term
Responsibility Management Those in charge of projects
and resources

Table 1: Comparison between Portfolio Management and Management of Multiple Projects.

Proyectos reas de Negocio
reas de Negocio
reas de Negocio
Business Areas
Figure 1: Multi Project Management.
UPGRADE Vol. IX, No. 1, February 2008 33
IT Governance
charge of the projects and those who are responsible for
resources must continually ask themselves several critical
(1) Are the resources being allotted to the highest prior-
ity projects?
(2) Is resource use maximized?
(3) Are projects finished on time and under budget and
do they meet quality standards?
3 Management of Project Portfolios and Manage-
ment of Projects
A CIO council report about better practices [6] lists a
series of lessons learned about IT portfolio management.
The first one is "Understand the differences and relation-
ship between portfolio management and
project management and manage each in
a suitable way".
Within the projects and initiatives un-
dertaken by an IT department, IT project
portfolio management is focused on the
level added and on the goals and objec-
tives of the organization. Project manage-
ment focuses on a specific initiative, de-
fining and attaining its objectives under
cost, in time, and over planned perform-
As can be seen in Figure 3 project
management creates value by efficiently
carrying out individual projects, attaining
objectives in the established time and un-
der the established cost. Project direction,
on the other hand, creates value through the
identification, selection and prioritization of
projects. We could say that while project
management is focused on the projects, on
"doing things right", portfolio management
is focused on the whole and on doing the
right thing.
Creating value in the IT department
increases through the appropriate man-
agement of the project as well as the port-
The information in the portfolio is
obtained at the project level and, in addi-
tion to taking into consideration the state
of the whole, their priorities, risk level,
resource consumption and trade-offs be-
tween projects, it is also concerned for
the health and the best practices of indi-
vidual projects.
Along the same lines, improvements
in project management always have posi-
tive repercussions on the portfolio. Within
project management the elements that
contribute most at the portfolio level are
the availability of the information for de-
cision making and efficiency in project management.
4 A Process Model for Portfolio Management
In the PMI standard for portfolio management [4] we find
a very detailed process model that takes us from the strategy to
the portfolio ad form there to the programmes and projects. A
simpler model, adapted from Archer y Ghasemzadeh [7], ap-
pears in Figure 4. This diagram of processes connects the three
levels: strategy, portfolio and project.
The model begins with the project proposal and its indi-
vidual analysis. This analysis, which is usually accompa-
nied by a business case, aims to make an individual assess-
ment of the risk and the reward associated with achieve-
ment of the project where financial criteria such as VAN,
TIR and ROI, and assessment criteria of the strategic align-

Proyectos reas de Negocio
reas de Negocio
reas de Negocio
Business Areas
Figure 2: Project Portfolio.
Figure 3: Portfolio Management and Project Management.
34 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
ment are used. Some projects are already ruled out at this
Projects that meet the individual criteria enter the project
selection process where the projects, both those being car-
ried out and recently proposed projects, are compared. The
selection is based on the simultaneous evaluation of vari-
ous criteria through weighted or bubble diagrams. These
criteria, just as in the individual project analysis measure
risk, benefits and strategic alignment. In Figure 5 we can
see a bubble diagram representing four criteria, for exam-
ple risk and benefit on the axes and size of the project and
alignment in the size and colour, respectively, of the bub-
Once the projects are selected a balancing and
prioritization of the projects is done. Based on the available
resources and the prior assessment the projects are catego-
rized and prioritized and resources are allotted to them. The
projects are monitored according to this prioritization and
categorization. The result of this process means an updat-
ing of the plans of individual projects, adjusting them to the
new priorities (see Figure 6).
At this point the process becomes iterative, the projects
are carried out according to the updated plan and, as certain
stages are developed, the project is continuously assessed
individually and with respect to the rest of the portfolio until
its conclusion or cancellation.
Figure 4: Process Model.
Figure 5: Risk/Benefit Bubble Diagram.
UPGRADE Vol. IX, No. 1, February 2008 35
IT Governance
Figure 6: Prioritization of the Portfolio.
In the individual analysis, the selection, balancing and
prioritization of projects require a defined IT strategy that
allows an adequate assessment in each of the steps.
5 Need for an IT Strategy for Portfolio Management
As seen in the previous process diagram, having an IT
strategy for a business is the only way to balance the projects
in the portfolio. This strategy is necessary to ensure a bal-
ance between the short term (short and urgent projects) and
long term or important projects. If the project portfolio has
too many small projects that consume too many products,
this is usually due to not having defined the strategy or not
having made it operational in the right way.
We must take into account that the strategy becomes
reality at the moment of investing, in the case of IT through
the projects. For this reason, the IT strategy helps assign
resources to different projects, between short term and long
term ones, between those of high risk and those of low risk,
between new and existing technologies.
6 The Implementation of a Project Portfolio
Implementing IT portfolio management from the begin-
ning is not an easy task, just as implementing project manage-
ment is not when the organization is not accustomed to it.
When dealing with its implementation it must be kept in
mind that it is a continual process of improvement and it is
recommendable to follow a maturity model, like the matu-
rity model of Kerzner [8]. Although initially conceived for
the improvement of the project management, it is perfectly
applicable in the implementation of the project portfolio.
The five stages of the Kerzner model (Figure 7) are:
1) Common language.
Recognition of the importance of managing the project
portfolio and the need for good comprehension of the terms
and concepts associated with it management.
2) Common processes.
In this stage the basic processes of portfolio manage-
ment are defined so that the process is repeatable. The prin-
ciples and techniques of portfolio management are applied.
3) Singular methodology.
The process and all the criteria for project portfolio
management (including selection, prioritization and evalu-
ation) are the same for all the areas for which the decision
process is unique and objective.
4) Benchmarking.
Recognition that the portfolio management process needs
to improve and the evaluation should be carried out con-
tinuously. We will decide which area to improve and what
to improve.
5) Continuous improvement.
Evaluation of the information from the previous stage
and decision to include it in the existing methodology.
Once implemented our project portfolio must respond
to a series of basic characteristics in order to work:
Centralized view of the projects.
Financial analysis and risk analysis.
Interdependencies between projects.
Prioritization, alignment and selection.
Dynamic evaluation of the portfolio.
Restrictions: resource limitation, capacities of staff,
of the budget or of the infrastructure.
7 Prerequisites for the Implementation of Port-
folio Management
Before beginning to implement PPM in an organization
some preconditions must be taken into account:
Existence of a business strategy and an IT strategy.
An organization that is going to implement a PPM must
have defined business and IT strategies, and have commu-
nicated them to all the departments involved. The PPM ob-
jectives are adjusted to this strategy. The initiatives to im-
plement a portfolio will be unsuccessful if there are not
36 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
existing business and IT strategies and we are simply left
with multi-project management.
Involvement of the management. The management
has to be involved to have a comprehensive view of the
portfolio and its projects. Without the support and the total
understanding on the part of the management, the constant
competition for resources and the changes in priority will
never be effective.
Competence Abilities of the team. Another relevant
aspect is the importance of having a project team with rel-
evant financial and strategic knowledge and abilities.
8 Software for Portfolio Management
The growth in interest on the part of IT departments in
project portfolio management has been accompanied by a
proliferation of software applications for project and port-
folio management.
The appearance of these software applications is helping
the most administrative work of gathering data and preparing
the information for analysis. In spite of that the software for
portfolio management tends to provide a more operative vi-
sion of the portfolio. They are a great help for the collection of
data that exist in the scheduling of the project and add them at
the portfolio level, which improves the management of re-
sources significantly. However, an adaptation is needed to
analyze the project from the most strategic viewpoint.
In this adaptation we will have to add information to the
projects that is not in their scheduling component: the classifi-
cation of clients, the financial calculations, the stages within
the portfolio and the assessments of risk, among others. These
last ones provide a classification of the projects based on stra-
tegic elements, maximizing the value and balancing the projects
and using techniques related with portfolio management.
9 Conclusions
In recent years portfolio management has been demon-
strated to be a discipline that increases the value created by IT
and helps implement the strategy through the projects. Its im-
plementation in businesses requires a series of stages that fol-
low a maturity model and that need the implication of the man-
agement and the existence of an IT strategy that the portfolio
must fulfil as key factors for its effective operation.
[1] University of Bremen, PMI et al. Project Management
World Study, 2003.
[2] Standish Group International. CHAOS Chronicles,
[3] M. J effery, I. Leliveld. Best practices in IT portfolio
management. Sloan Manag Rev 2003; 45.
[4] Project Management Institute. The standard of Portfo-
lio Management, 2006
[5] D. Lowell, J . Pennypacker. Project Portfolio Manage-
ment and Managing Multiple Projects:Two Sides of
the Same Coin? Proceedings of the Project Manage-
ment Institute Annual Seminars & Symposium Sep-
tember 716, 2000, Houston,Texas, USA.
[6] CIO Council. A summary of first practices and lessons
learned in IT Portfolio Management, 2002.
[7] N.P. Archer, F. Ghasemzadeh. An integrated framework
for project portfolio selection. International J ournal of
Project Management Vol. 17, No. 4, pp. 207-216, 1999.
[8] Harold Kerzner. Strategic planning for project man-
agement using a project management maturity model.
J ohn Wiley & Sons, 2001. ISBN: 0471400394.
Figure 7: Kerzner Maturity Model.
UPGRADE Vol. IX, No. 1, February 2008 37
IT Governance
ISO20000 An Introduction
Lynda Cooper
ISO20000 is the International Standard for IT Service Management. This article provides an overview covering the his-
tory of the standard, the scope and relationship to other standards and frameworks as well as benefits realised. The article
also recommends additional sources of information.
Keywords: Benefits, BS15000, Drivers, International
Standard, IT Service management, ISO20000, Scope.
1 History
ISO 20000
has a long pedigree being underpinned by
ITIL service management best practices. The first version
was a British Standard, BS15000, published in 2000. Fol-
lowing an early adopters trial, various recommendations
for improvement were made and the standard was updated
in 2002. This was then fast tracked to become an interna-
tional standard, ISO20000 which was published in 2005.
The first certification scheme for organisations to be
certified was launched in November 2003 by the ITSMF
(IT Service Management Forum) and is entirely in line with
the ISO9000 certification scheme. External auditors must
be approved by ITSMF and are known as Registered Certi-
fication Bodies (RCBs) who are listed on the ISO20000 web
site, <>.
2 Framework
The framework of service management guidance is rep-
resented in Figure 1. Although the framework shows the
most commonly used best practice framework of ITIL, it is
not mandatory to implement ITIL best practice in order to
satisfy the requirements of the standard. Use of other frame-
works such as eTOM will be equally valid.
3 Individual Qualifications
In addition to corporate certifications, there are several
qualifications available for individuals. These are:
ITSMF - ISO20000 consultant certificate aimed at
those who will consult, either internally or externally, or
manage an ISO20000 programme.
ITSMF - ISO20000 auditor qualification is aimed at
internal and external auditors who will be auditing against
EXIN Service Quality Management Foundation
aimed at individuals working in an ISO20000 organisation.
EXIN Service Quality Management Advanced aimed
at consultants or managers.
ISEB ISO20000 Essentials course to be released early
4 Scope of the Standard
The standard requires an IT Service provider, either in-
ternal or external, to satisfy requirements for all processes
as shown in the process model depicted in Figure 2. The
processes cover the ITIL processes and bring in additional
areas to provide a complete view of IT Service Manage-
ment. There can be no processes excluded for certification.
The scope does allow for some of the processes to be
outsourced as long as management control can be shown
over those outsourced processes.
The standard aligns with ISO9001 in the Management
System requirements and the Plan-Do-Check-Act cycle in
Planning and Implementing Service Management. Indeed
those companies with ISO9001 certification should already
find that they satisfy some of the requirements of ISO20000.
ISO20000 can be achieved either in conjunction with
ISO9001 or stand alone.
ISO20000 also links with ISO27001. The requirements
for information security management within ISO20000 are
a sub set of those in ISO27001. Those companies already
certified to ISO27001 level for the same scope should have
already satisfied all the information security requirements
in ISO20000. The standard can be attained for varying
scopes within a service provider:
All or some IT Services, e.g. financial services, sup-
ply chain services.
All or some Technology, e.g. application manage-
ment, infrastructure management, desktop support.
All or some customers, e.g. one specified customer
or all customers.
All or some locations, e.g. one location or all locations.
Lynda Cooper, International Director of Consulting of Fox IT
<>, has industry recognition as a thought
leader in Service Management working as a strategic consultant
and trainer. Her work culminated in the publication of the British
Standard for IT Service Management BS15000, and then the
International Standard, ISO/IEC 20000. A keen advocate of the
pragmatic use of best practice, Lynda is active in industry forums
and on conference platforms. She represents the UK on the
ISO committee for IT Service Management as the Principal UK
Expert. She has the ITIL Managers Certificate and has been
involved in ITIL3 as a reviewer. <>.
ISO20000 is the commonly used abbreviation for the International
Standard for IT Service Management whose full title is ISO/IEC 20000.
38 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
Figure 1: Framework of Service Management Guidance.
Figure 2: ISO20000 Process Model.
5 Why Achieve ISO20000
There are various drivers for wanting to gain ISO20000:
An independent certification offers an industry rec-
ognised benchmark of quality.
The certification proves that the provider can offer
best practice in service management and service delivery.
More importantly, the certificate ensures that an or-
ganisation gains all the benefits of utilising best practice in
service management. Many companies claim to implement
ITIL best practice but these are often selective implementa-
tions which are not independently checked. With ISO20000
as with any other standard, the use of best practice will be
assessed annually ensuring that all the benefits often prom-
ised are truly gained. These benefits will cover improved
UPGRADE Vol. IX, No. 1, February 2008 39
IT Governance
quality of service, cost savings, reduced risk and continu-
ous improvement.
Even if the service provider does not go for formal
certification, the 13 pages of mandatory requirements in the
standard provide a focus for what to do to implement best
practice service management. This can then be supplemented
with the use of ITIL or other frameworks for the detail of
how to implement each process.
For many external service providers, the benefits are
in demonstrating a competitive edge or in being able to re-
spond to proposal requests that demand ISO20000 certifi-
6 Future of the Standard
The standard is already being updated by the Interna-
tional Standards Committee responsible for service man-
agement. This committee has representatives from many
countries including Spain. The standard will remain stable
for some years which is important in the marketplace. The
next update is likely to be published in 2009 or 2010. Up-
dates will cover:
Removal of ambiguity from some wording.
Improvement and updating of some requirements
based on feedback.
Some alignment to ITIL3.
7 Further Information
There are various publications available to support the
standard including:
- ISO/IEC 20000 - part 1 and part 2.
- ISO/IEC 20000 Self assessment workbook - BSI publication
- A Managers guide to service management - BSI publication.
- Achieving ISO/IEC 20000 series - BSI publications.
- ISO/IEC 20000 pocket guide - ITSMF publication.
The web site also points to useful information about
auditors and certified companies <www.isoiec20000>.
40 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
COBIT as a Tool for IT Governance:
between Auditing and IT Governance
Juan-Ignacio Rouyet-Ruiz
Cobit is establishing itself as an effective tool to set up IT Governance that will help IT departments convert themselves
into technological partners of businesses. When analysing the suitability of Cobit for IT Governance we must be aware of
its origins in auditing, and of its strengths and weaknesses resulting from such an origin. In this article we analyse Cobits
strengths and weaknesses as a framework for IT Governance, using as a reference another IT Governance model, that of
Keywords: Alignment, Auditing, Cobit, IT Governance,
Management of IT Services, Strategic Process Orientation.
1 Introduction
In recent decades IT departments have been forced to
evolve towards a necessary strategic alignment between the
IT function and the business needs of the organization. Under
this paradigm, IT departments have faced the situation of
having to make a value proposition of their activity which
is in line with the interests of the corporate management
[1]. To that end the IT function is managed in three phases:
it begins as a management model focused on the reduction
of operational costs (technology provider); it then becomes
a service organization, that seeks to satisfy the necessities
of its clients (service provider); and it ends up as a business
partner offering valuable solutions and seeking the interest
of stakeholders as well as growth in market turnover or pen-
etration (technology partner) [2].
In this article we focus on management in terms of the last
IT function. From a theoretical perspective, such an alignment
is achieved with Henderson and Venkatramans SAM model
[3]. The next step consists of being capable of carrying out this
strategic alignment from a practical point of view, for which
elements such as IT Governance are necessary.
Currently one of the main models for IT Governance is
Cobit, a model rooted in auditing. This origin in auditing
gives Cobit characteristic strengths and weaknesses. In this
article we will analyse the suitability of Cobit for IT Gov-
ernance. To do that, we will study in some detail what is
understood by IT Governance, and we will compare Cobit
with Petersons IT Governance model.
2 The Concept of IT Governance
In order to clearly define and understand the concept of
IT Governance, we must first be aware that it fits within the
practices and regulations of corporate governance. Accord-
ing to the OECD (Organization of Economic Co-operation
and Development) corporate governance aims to establish
responsibilities to assure objectives and measure perform-
ance [4]. Such performance is related with the creation of
Juan-Ignacio Rouyet-Ruiz has a degree in Telecommunications
Engineering from the Technical University of Madrid (1997).
He began his professional activity in the field of training
consultancy in 1998. Since 2002 he has been involved in
numerous ITIL implementation consultancy projects within key
accounts, primarily in the Industrial and telecommunications
sectors. In 2005 he joined Quint Wellington Redwood as an
ITIL consultant, where he has been carrying out strategic
consultancy activities in IT service management. As the person
responsible for the quality of the training department in a
multinational company he has successfully been through several
AENOR audits. He has participated in IT service management
congresses and conferences, and has published articles in that
field. He is currently writing his doctoral thesis in the field of IT
Governance. <>.
value for the organization and the management of its re-
sources in an efficient and transparent way. This leads us to
the four elements that make up corporate governance: re-
sponsibility, guaranteeing objectives, creating value and
resource management.
These same four elements must be applied to the IT func-
tion, especially taking into account the direct implications
that technology and its management currently have on busi-
ness processes. From under these basic assumptions, there-
fore, the concept of IT Governance emerges as a subset of
corporate governance. There is currently no consensus about
exactly how to define IT Governance, although it is true
that the various definitions have common elements.
We can begin with the definition provided by MIT (Mas-
sachusetts Institute of Technology), through its Sloan School
of Managements Center for Information Systems Research
(CISR), which points out that IT Governance specifies the
decision making rights and the framework of responsibili-
ties to promote desirable behaviour in the use of IT [5].
Notice that this definition is clearly focused on decision
making, but does not define what to decide, calling it sim-
ply desirable behaviour in the use of IT.
UPGRADE Vol. IX, No. 1, February 2008 41
IT Governance
Responsibilities of Corporate Governance Responsibilities of IT Governance
How do shareholders get executives to return
some profit?
How do shareholders make sure executives do
not waste the capital lent in loss-making
investments or projects?
How do shareholders control executives?
How does advanced management get the IT
director and the IT to return value from the
How does advanced management make sure
the IT director and the IT do not waste capital
in loss-making investments or projects?
How does advanced management control the
IT director and the IT?

Another definition is taken from Wim Van Grembergen,
according to whom IT Governance is the capacity to or-
ganize, executed by the board of directors, executive man-
agement and IT managers, to control the formulation and
implementation of the IT strategy and, in this way, ensure
the fusion of business and IT function [6]. As can be seen,
this definition is focused on defining who is primarily re-
sponsible for IT Governance, and pays special attention to
searching for alignment between the IT function and the
Finally we provide the definition offered by the IT Gov-
ernance Institute (ITGI), the body that created Cobit: IT
Governance is the responsibility of the board of directors
and executive management, and consists in leadership and
organizational structures and processes that ensure that the
IT function of the company sustains and extends the organi-
zations objectives and strategies [7]. As can be seen, this
definition is also focused on who must assume the respon-
sibility for IT Governance, at the same time that it indicates
in greater detail the activities and structures that make it up.
It also defines more precisely what Van Grembergem called
the fusion of business and the IT function, which, according
to ITGI, consists in the IT function sustaining and extend-
ing the organizations objectives.
These definitions make it apparent that there are vari-
ous points of view of IT Governance, and it may therefore
be that we do not have a clear idea of what it is exactly. To
obtain an overall view we can refer to Table 1, in which IT
Governance is compared to corporate governance.
J ust as there are different definitions of IT Governance,
there are just as many practical models for its implementa-
tion because the concept of IT Governance is difficult to
classify in a simple collection of processes or mechanisms.
The lack of a single model means we need, at least, a frame-
work to indicate what should be considered, leaving how
such considerations should be taken into account to the pri-
vate interpretation of each model. To arrive at some con-
sensus on the common objectives of IT Governance we can
refer to Forrester, an independent IT consultancy of recog-
nised prestige. According to that organization, the objec-
tives of IT Governance are: IT function value and align-
ment, risk management, performance measurement, and
responsibility [9], which are all aligned in some way with
previously indicated objectives established by the OECD.
We will analyse Cobit based on these objectives and
using the IT Governance model of Peterson as a reference.
3 Petersons IT Governance Model
Peterson [10] establishes a framework that indicates what
aspects must be taken into account to implement IT Gov-
ernance, leaving to the choice of each company exactly how
to implement it. In search of a performance framework, this
author establishes that IT Governance must be implemented
according to a set of structures, processes and relational
mechanisms. Structures are understood as the existence of
a set of responsibilities; processes refer to decision making
and performance measuring activities; finally, relational
mechanisms make clear the need for the IT function to par-
ticipate in the business and favour communication (see Ta-
ble 2).
Achieving Forresters previously listed IT Governance
objectives, Petersons model focuses on the definition of
responsibilities and on risk management, achieved mainly
through the definition of the structures and the relational
mechanisms. The measurement of performance would ap-
pertain more to the field of processes. However, it does not
establish clear mechanisms to define the IT functions value
and alignment with the business.
4 Cobit as a Model of IT Governance
Cobit was developed by the Information Systems Audit
and Control Association (ISACA), through the IT Govern-
ance Institute (ITGI), as a management auditing mechanism
for IT departments, and over time has become a standard
for IT Governance. The Cobit acronym stands for Control
Objectives for Information and Related Technology, which
indicates the way Cobit should be considered: as a system
that facilitates IT management controls.
According to ITGI [7], Cobit supports IT Governance
by creating a framework that covers the following five ar-
eas: strategic alignment, value delivery, resource manage-
ment, risk management and performance measurement. To
that end, it establishes four courses of action: focused on
the business, directed towards processes, based on controls
Table 1: Corporate Governance and IT Governance [8].
42 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
and guided by metrics.
The main idea of Cobit is to make available a series of
processes that will help manage and control the IT function
resources, and make sure the business receives the infor-
mation it needs to achieve its objectives. To define how the
information should be, Cobit establishes a series of require-
ments the information must meet to be satisfactory for the
business, which it calls information control criteria: effec-
tiveness, efficiency, confidentiality, integrity, availability,
compliance (of laws, regulations, etc.) and reliability.
With regard to its process direction, Cobit offers a set of
processes grouped into four blocks of activities: planning
and organization (PO), acquisition and implementation (AI),
delivery and support (DS) and monitoring and evaluation
Finally, in order to be based on controls and guided by
metrics, Cobit defines the IT control objectives as a decla-
ration of the desired result or of the objective to attain
through the implementation of control procedures in a par-
ticular IT activity. The Cobit metrics feature three measure-
ment elements: maturity models, performance metrics and
activity objectives, of which, the performance metrics are
the best known.
The performance metrics are established in two groups:
the key goal indicators (KGI) and the key performance in-
dicators (KPI). Along these lines, the diagram of perform-
ance metrics grouped on three graduated levels is well
known: those that measure if the goals of the IT function
have been fulfilled (IT KGI), those that measure the fulfil-
ment of the IT process goals (process KGI), and finally those
that measure the performance of such processes (process
KPI). This chain of measurements makes Cobit more busi-
ness oriented, since that the impact that a process has on the
business can be monitored from the lowest to the highest
5 Conclusions
According to the OECD, corporate governance should
focus on four elements: establishing responsibilities, attain-
ing goals, creating value and managing resources. Adapt-
ing these goals to the IT environment, Forrester proposes
the following five elements: IT function value, alignment,
risk management, performance measurement and responsi-
bility definition. In terms of these principles, Cobit shows
great strength with regard to performance measurement,
value creation and risk management.
To be sure, due to its metrics structure, grouped in IT
KGI, process KGI and process KPI, the performance meas-
urement of the IT activity is kept totally under control. To
the degree that the IT function is able to demonstrate its
performance, it also shows its value to the business, given
that value demonstration is currently and unfailingly con-
nected to quantitative terms. In the same way, the strong
measurement control makes sure the risks of diversion from
objectives are also controlled, which is why Cobit also fea-
tures great strength in risk management.
Table 2: Structures, Processes and Mechanisms of Relation for the Implementation of IT Governance [10].
Structures Processes Relational mechanisms
IT board of

Making strategic IT
Monitoring the IT
Participation of
all concerned

Shared learning
Roles and
structure of the IT
IT director on the
IT strategic
IT management
Strategic planning of
Information Systems
IT balanced scorecard
Economic information
Service level
COBIT and the ITIL
IT Governance
maturity models
participation of
those primarily
between those
and incentives
for business-IT
J oint business-
IT siting
of the business
and the IT
Active conflict
resolution (not
Inter functional
Inter functional
business-IT job

UPGRADE Vol. IX, No. 1, February 2008 43
IT Governance
These three strengths are sustained in two characteristic
aspects of Cobit: its origins in consultancy and its orienta-
tion towards process. Its origins in consultancy are the re-
sult of having the so-called control objectives of the proc-
esses and control criteria of the information. The first guar-
antees the minimum requirements each process must meet;
the second guarantees that the information is that which the
business needs. Notice that both cases deal with control, as
this is the foundation for measuring performance and man-
aging risks. And we must not forget the very meaning of
Cobit (Control Objectives for Information and Related Tech-
nology), which indicates how Cobit should be considered:
as a system that facilitates information and technology con-
trols. The orientation towards processes structures the en-
tire set well.
The system of nesting metrics, which makes a KGI from
one level become a KPI from a higher level, provides the
necessary mechanism for a correct alignment of the IT func-
tion. Through the Cobit metrics it is possible to see the
importance of a performance measurement (KPI) in the IT
goals. That is, a relationship is seen between process activi-
ties and their influence over IT goals, which leads to align-
But it is here, in this point, where the weaknesses of
Cobit also begin to appear. We talk about alignment, but we
must point out that such an alignment remains within the
IT. Indeed, as we have seen, Cobit shows great strength in
establishing suitable controls so that the IT activities are
attuned to IT goals. The weak point lies in the link between
IT and business goals. As can be seen in Appendix I [7] of
Cobit, once the goals of the business are known, the rela-
tion with the IT goals is achieved by selecting a series of
processes. This can produce indetermination as well as of
Rigidity comes from having to establish some processes
according to the strategy, when it is known that stable proc-
esses should be established over time, and be sufficiently
flexible in their goals and performance measurement to be
adapted to any strategy. The indetermination originates in
the fact that Cobit neglects aspects related to taking respon-
sibilities and the relational mechanisms that guarantee the
alignment with the corporate strategy. These structures of
responsibility and relational mechanisms go beyond the
RACI matrixes defined by Cobit and focused on the inte-
rior of the IT, but they do not establish mechanisms so that
the IT is one more element in the Management Committee,
a true governing element.
Thus, Cobits origins in auditing makes it a perfect frame
of reference for the internal control of IT, guaranteeing per-
formance measurement, value creation and risk manage-
ment. These fields are defined in Cobits process orienta-
tion and in the structured metrics system that measures those
processes. From our point of view, the aspects that must be
improved revolve around the establishment of responsibili-
ties and alignment with the business strategy. For those as-
pects we consider most difficult to grasp, we could refer to
Petersons IT Governance framework, which establishes
elements for governance structures and relational mecha-
nisms, the elements that finally control the formulation and
implementation of the IT strategy based on the business strat-
[1] N. Kriebel, P. Matzke. Building Meaningful Business
Value Propositions. Forrester, August, 2006.
[2] O. Le Gendre. IT Departments and IT Governance.
Gartner, IT Governance Forum-J une, 2001.
[3] J .C. Henderson, N. Venkatraman. Strategic Aligment:
Leveraging information technology for transforming
organizations. IBM System J ournal, Vol 38 - N 2&3,
[4] OCDE. Principles of Corporate Governance. OECD,
Pars, 2004.
[5] P. Weill, J .W. Ross. IT Governance: How top perform-
ers manage IT decision rights for superior results.
Harvard Business School Press, Boston, Massachusetts,
2004. ISBN: 1591392535.
[6] W. Van Grembergen. Structures, processes and rela-
tional mechanisms for Information Technology Gov-
ernance: Theories and practices en Strategies for In-
formation Technologies Governance. Hershey: Idea
Group Publishing, 2003. ISBN: 1591401402.
[7] IT Governance Institute. Cobit 4.0. Rolling Meadows:
IT Governance Institute, 2005.
[8] T. Sheleifer, W. Vishny. A survey on Corporate Gov-
ernance. The J ournal of Finance, 52(2), 1997.
[9] C. Symons. IT governance framework. Forrester,
March, 2005.
[10] R. Peterson. Information strategies and tactics for In-
formation Technology governance, en W. Van
Grembergen (Ed.), Strategies for Information Technol-
ogy Governance. Hershey, PA: Idea Group Publish-
ing., 2003. ISBN: 1591401402.
44 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
Keywords: CobiT, Governance, IT Governance, ITIL,
Val IT.
1. It is our intention to respond to UPgrades kind invi-
tation to write "an article explaining how to put to work, on
a joint basis, CobiT and VAL IT, and maybe ITIL".
2. The title chosen addresses the invitation, highlights
the objective (Implementing Good IT Governance), and
introduces a neologism, ad@pting, as a healthy mix of adopt-
ing and adapting. We hope the article will honour the title
and explain, if not justify, our ad@ption of the neologism.
3. Good IT Governance is a topic of utmost importance,
one which is getting hotter by the day and has increasing
but still lagging interest for businesses, professionals, con-
sultants, and society as a whole.
4. It should concern society, as ICTs pervasiveness is
ever expanding in enterprises, institutions, and society and
because in Good Corporate or IT Governance we all have a
voice (or will end up having one)
5. It has been said that the adequate restatement of an
issue is more than halfway to solving it. It is the purpose of
the authors to help our readers with an honest and modest
attempt at restatement.
6. The usual length limitation set for this article but,
above all, the intrinsic communicational limitations of the
authors may lead the reader to a hasty impression that the
whole subject is just a matter of grandiose caricature state-
ments, when the authors (from their professional training,
experience and principles) know and preach the opposite:
the subtleties, the greys, and the maybes.
7. As a first example of "caricature statement": we do
not believe that CobiT, Val IT or ITIL can be implemented
in organizations.
Implementing IT Governance Ad@pting CobiT,
ITIL and Val IT: A Respectful Caricature
Ricardo Bra-Menndez and Manuel Palao Garca-Suelto
In this article we present some guidelines for the combined use of three reference models and a series of points and criteria
to be considered in respect of their complementarity.
Ricardo Bra-Menndez has specialized in the areas of con-
sulting and auditing and, for the last 10 years, in the emerging
topic of IT Governance, which he puts as a top priority in the
agenda of enterprises and organizations across the world. Since
1982, he has been an active member of ISACA (Information
Systems Audit and Control Association). ISACA is a professional
organization recognized as a world leader in Governance,
Assurance and Security where Ricardo has sat on numerous
boards and committees, and was elected as International Vice
President. Mr. Bras professional career has been developed in
the United States, Latin America and Europe. For many years
he worked for a large international auditing and consulting firm
and was also Organization and Process Improvement Manager
for a major international Bank. He is CISA (Certified Information
Systems Auditor) and ACT (Accredited CobiT Trainer) certified
by ISACA, and graduated in Business Administration at the
University of Texas at Dallas <>.
Manuel Palao Garca-Suelto holds an ABD in Computer
Sciences and Civil Engineering and has Bachelor Degrees in
Statistics and Operations Research, and Sociology. He is CISA
(Certified Information Systems Auditor), CISM (Certified
Information Security Manager) and ACT (Accredited CobiT
Trainer) certified. He has been an ATI (the Spanish Association
of Computer Technicians) Senior Member since 1975 and Co-
coordinator of Novticas (the journal of ATI) Technical Section
"IT Audit" for the past six years. He has been Managing Partner
of Personas & Tcnicas: Soluciones, SLU, and Partner and CTO
of The Model Company, Modelco SL. He served as President of
ISACAs Madrid Chapter for two terms. Professor at UCLMs
Master Program on IT Security and UPM+ALIs Master
Program on IT Security and Audit; Professor and Area
Coordinator at Deusto Universitys Master Program on IT
Governance. He has authored a book on MIS, and has also
written several chapters for books and more than 200 articles
8. This "non-implementability" requires a prior reflec-
tion on regarding frameworks (such as CobiT, Val IT and
ITIL), their needs, characteristics, and differences with many
other standards. This exercise of reflection is much needed
and of considerable importance as there appears to be con-
siderable confusion (fuelled by some spurious interests)
regarding standards and frameworks and their certifiability,
compatibility and profitability.
Good IT Governance is meant to serve stakeholders interests.
The AS/NZS 4360:2004 Risk Management standard defines
stakeholders as those "who may affect, be affected by, or perceive
themselves to be affected by a decision, activity or risk."
UPGRADE Vol. IX, No. 1, February 2008 45
IT Governance
9. The following characteristics are being proposed in
general, tentative terms as we are unaware of a more rigor-
ous taxonomy or definitions. Frameworks, generally, are
oriented towards "best practices", while standards are ori-
ented towards "minimum requisites". Frameworks deal more
with "what" and standards with "how". Frameworks have a
broader scope, are more flexible and compatible; standards
are more stringent, rigid and self-contained, when they are
not actually exclusive.
10.Good frameworks are needed to ensure, in the broad-
est possible way, that IT resources are aligned with the busi-
ness/service objectives of the enterprise/institution, and that
services rendered and information provided comply with
the minimum requirements of quality (cost, distribution,
quality), security (confidentiality, integrity, availability) and
trust. They are a code of good (or best) practices.
11. According to COSO
, which we familiarly call "the
Mother of all Control Frameworks", fiduciary or trust-re-
lated requirements are intended to ensure the effectiveness
and efficiency of operations, the reliability of financial re-
porting, and compliance with laws and regulations.
12.In our global and highly interrelated world, there
must be and there must be seen to be significant conver-
gence between the various efforts to produce and maintain
frameworks and standards. If such convergence does not
happen or if it is not seen to be happening at a reasonable
speed, one may suspect the existence of hidden interests
and artificial barriers which (as a result of being driven by
hidden agendas) may pose serious risks for those not suffi-
ciently well informed.
13.This same general convergence can be seen in the
history of art (romanticism in music, cubism in painting)
and - due to its particular nature - in the history of science
(Boyle-Mariotte in the XVII century, with their ideal gas;
Watson-Venter, the day before yesterday, with the human
genome; or the counterexample in Spain in the mid-20
century, under Francos dictatorship, when Professor J ulio
Palacios maintained, in front of important audiences, the
radical falseness of Einsteins Theory of Relativity
. This
latter example of divergence is not trivial. Sadly, unscrupu-
lous visionaries and liars often speak louder than those who,
by trial and error, seek the right path.
14.A similar trend towards convergence can be seen in
the specific case of the frameworks and standards that in-
terest us. Here are a couple, by way of example:
15.One: ISO 9001:2000 (as opposed to ISO 9000:1996)
introduces and highlights the consideration of "customer
satisfaction" in convergence, for example, with EFQM (in-
troduced in 1992), in turn converging with the US "Malcolm
Baldrige National Quality Improvement Act" of 1987 (100-
16.Another: ITIL (a product created in 1986 by the UK
Government (CCTA) for the UK Government) in 1991 de-
cided to try and expand its approach to private enterprise,
in convergence with ISACAs Control Objectives (1976),
the forerunner of CobiT (1996).
17.Where the general convergence of standards and
frameworks stands out is in their preference for improve-
ment process over the milestone. In this respect, probably
the most widely known reference is Demings PDCA wheel:
18.A good framework, according to generally accepted
principles, must meet the following four requirements:
19.First of all: process orientation. This basically means
that all activities are organized into processes (that are more
or less repeatable, documented and traceable, among other
properties described by most maturity models) which have
a "process owner" with clearly defined responsibilities. For
the purpose of this article, the focus is on good IT Govern-
ance, as a means of meeting business needs while narrow-
ing the gap between risks and control requirements and help-
ing to optimize IT-related investments by providing the
means for measuring and evaluating them.
20.Secondly, it has to be based on commonly accepted
practices such as technical standards (ISO, EDIFACT, etc),
codes of ethics (Council of Europe, OECD, ISACA, etc.),
systems, and IT process qualification criteria (ITSEC,
TCSEC, ISO9000, SPICE, TickIT, Common Criteria, etc.),
internal audit and control professional standards (COSO,
dustry and governmental requirements and practices (ESF,
IBAG, NIST, DTI, BS7799, etc.).
21.Thirdly, common language. The use of common
terms (provided by a framework) enables and encourages
communication between members at different levels and in
different departments of the enterprise, and with consult-
ants, customers, vendors, and third parties in general, while
avoiding misunderstandings resulting from different even
opposite - interpretations of the same word. It also helps to
bridge the traditional communications gap between busi-
ness and technology and to establish objective, intelligible,
and shared metrics and indicators.
22.Lastly, good frameworks take into account the pro-
motion and adoption of regulatory requirements. Regula-
tory compliance is a complex and costly task. The adoption
Copyright 1985-2006 The Committee of Sponsoring Organi-
zations of the Treadway Commission.
Thomas F. Glick: "Ciencia, poltica y discurso civil en la Espaa
de Al fonso XIII". Espaci o, Ti empo y Forma, Seri e V, f-i ."
Contempornea, t. 6, 1993, pp. 81. <
46 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
of a framework based on generally accepted standards fa-
cilitates compliance and helps demonstrate compliance to
third parties.
23.Good frameworks are not radical or fundamentalist;
rather, they are tolerant. They facilitate and even promote a
cooperative promiscuity between different standards and
frameworks. It is a shame though, that some people, out of
ignorance or vested interest, try to misuse a good frame-
24.An outstanding example of positive framework hy-
bridization is provided by ISO "management systems" (con-
sidered here as a single framework). ISO 9001:2000 (Qual-
ity Management), ISO 14000:2004 (Environmental Man-
agement), and ISO 27001:2005 (Information Security Man-
agement). Three standards on quite different subjects, shar-
ing a common framework (the "management system"). In
the recent words of a prominent AENOR (Spanish Associa-
tion for Standardization and Certification, the Spanish mem-
ber of ISO) executive: "the same engine [or framework, to
use our word] with different data". The three standards (and
others that will presumably be joining them soon) share
structure, documentation and procedures, which enables,
simplifies and increases the benefit of their everyday joint
use (not just their joint certification or re-certification).
25.But the most paradigmatic example in our area of
concern is perhaps CobiT mapping to other frameworks and
standards. To date (December, 2007) ISACA, in addition to
its general mapping to "good international practices", has
published 9 CobiT maps to specific frameworks or stand-
ards (CMMI for Development, ISO/IEC 17799:2000, ISO/
I ES 17799:2005, I TI L, NI ST SP800-53, PMBOK,
PRINCE2, SEIs CMM for Software, TOGAF 8.1). We also
know that CobiT mapping with ISC2 CBK, the framework
underlying CISSP, is currently in the pipeline.
26.In addition to all the above, good frameworks are
democratizing. We use the term here to mean that their fea-
tures make them applicable (ad@ptable) to any organiza-
tion, regardless of industry and/or size, due to the fact that
good frameworks consider the whole picture in a holistic
manner, but divided into manageable and independent, al-
beit interrelated, parts with well-defined and responsible
limits and relationships, and with a clear and precise as-
signment of rights and obligations.
27.Successfully ad@pting a good framework (or a
number of them as they are not mutually exclusive), also
have a "revolutionary" and distinguishing quality: small/
immature organizations can take a leap forward and posi-
tion themselves in the best-of-breed category (where one
would normally only expect to see Fortune
1000 compa-
nies). This (fortunately, since it represents a window of op-
portunity) clashes with the rigid ideology of maturity mod-
els interested in selling a supposedly inexorable "phase by
phase" (or fascist goose stepping) approach.
28.Going back to where we were a few paragraphs ago,
we claim that CobiT, ITIL or Val IT cannot be implemented
in the sense of implanted "to fix or set securely or deeply
as in the case of a pine tree in the backyard, a dovetail joint
in the carpenters shop, or a kidney in the operating theatre.
Those are events or, to be more precise, they are the final
concrete, permanent and tangible outcome of a project.
29.Frameworks are "adopted" and "adapted" (ad@pted)
in a living and continuous process in which an enterprise/
institution, starting from any stage, sets sail towards ever
higher levels of excellence (the journey being more impor-
tant than the destination).
30.To arrive at the destination it is of utmost impor-
tance to choose the right vehicle for the journey. However,
apart from selecting which framework or frameworks (since
nobody today is at risk of dying from a lack of frameworks,
standards and best practices), maybe the most critical suc-
cess factor for the trip is who makes the decision and who
sponsors the journey.
31.This is a process that cannot flow upstream, against
32. If the project is driven and sponsored by Top Manage-
ment (TM), its success is not totally guaranteed beforehand.
33.But its failure is assured if that condition is lacking.
34.The factotum then must be (note the imperative form)
TM, an issue which is often ignored (more or less blatantly).
The main reason being that, among its responsibilities for
corporate governance, it also has a responsibility for IT
governance and an obligation to, implicitly or explicitly,
select the components and choose the framework "cock-
tail" of its liking.
35. One cannot but hope that in the not so distant future, in
a more informed and cultured arena, the current could, as it
does in estuaries, allow the passage of certain amount of up-
stream traffic, i.e., well founded and documented suggestions
taken up to the Top Management (TM) by second/third line
management or staff personnel. But, while such a sensibility/
culture does not become generalized (thanks mainly to profes-
sional associations, universities, consultants, etc.), all the power
and potential for success lies with the TM.
36.The "implementation"/ad@ption is then a process (an
endless one!; Demings virtuous circle). A process of par-
Merry Webster Dictionary <
dictionary?book=Dictionary&va=implanted >.
UPGRADE Vol. IX, No. 1, February 2008 47
IT Governance
tial ad@ption, of cutting, pasting and ad@pting what suits
us; a process of hybridization or crossbreeding.
37.As previously stated, good frameworks are not radi-
cal. Quite the contrary, they are tolerant: they accept and
even foster promiscuity, cutting and pasting while remain-
ing faithful to their essence and remaining compatible with
other good frameworks, which is another of their intrinsic
characteristics. In a way, it is like medieval Toledo where
frameworks as different as the ones introduced by the J ew-
ish, the Christians, and the Arabs caused culture and pros-
perity to flourish in synergy.
38.Another "caricature statement" deals not with the
what but with the how.
39.As frustrating as it might seem for most consulting
firms (and even more for their major clients) whose busi-
ness model is to sell many "junior" and inexperienced hours
(pyramidal model) instead of fewer "senior" expert hours
of consultancy (not just PR), the critical issue here is not
the product (e.g., the ITIL version), or the what. Rather it is
the how, the process; the project; how it is managed, how
and how rapidly it is expanding, who is involved and who
is committed (remember the fable of the pig and the hen,
and their attitude in the face of the consequences for each
of them of not providing us with ham and eggs).
40.A good simile to describe the 'how' could be that of
cultivating, agriculture and culture (same etymology). Good
Governance is not about implementation but about culti-
vating, about work through the generations, about a con-
tinuous and sustainable process, relying more on the essen-
tials and on workmanship than on fashion.
41.Sustainability also assumes a number of prerequi-
sites that are so self-evident and naive that it seems absurd
to mention them. But we have to mention them due to the
numerous and widely documented blunders made by im-
portant corporations, assisted by major consulting firms,
while attempting to ensure that projects designed to meet
the requirements of the Sarbanes-Oxley Act delivered sus-
tainable structures and procedures.
42.Good IT Governance cannot be a patch or an ortho-
paedic limb. It has to be rooted in the organizations most
important, genuine, and healthy fibres.
43.Paraphrasing the famous quote by Lord Kelvin "If
you cannot measure it, you cannot improve it", we would
like to introduce another of our own "What is not continu-
ously evaluated and improved becomes obsolete before leav-
ing the drawing board".
44.Having mentioned more than once promiscuity and
tolerance, it might seem that frameworks and standards do
not ultimately contribute anything - that they are unneces-
sary or mere divertissement. A hasty and mistaken conclu-
sion! Frameworks are not only necessary, but are a manda-
tory prerequisite to pave the way towards good IT govern-
45.Frameworks are the crystallization of a "body of
knowledge" and "guidelines" that summarize the hands-on
experience of hundreds of international and multi-industry
IT practitioners in working groups and committees of pro-
fessional organizations and associations. The end result of
their contributions is objectively overwhelming, particularly
for those who, in this day and age, may still be trying to
reinvent the wheel.
46.Fortunately, thousands of the best professionals, from
many different areas, countries, and cultures have put in
their time as volunteers and helped to develop and keep
CobiT (Control Objectives for Information and related Tech-
nologies) current. CobiT has already become the interna-
tionally accepted reference IT Governance framework, re-
fining practices that have proved successful after numerous
implementation cycles.
47.The fact that frameworks are not intended to/cannot
be applied by themselves as a master recipe should not mis-
lead us into undervaluing them, but rather the opposite.
Competitive and surviving organizations stopped thinking
that the isolated self-sustaining Robinson Crusoe approach
was the way to go a long time ago
48.In Forresters opinion, "first use CobiT for IT con-
trol and governance, ITIL for service delivery and support,
and finally use ISO 17799 for Security"
49.To which, humbly, in view of the authority of the
quoted sentence, we dare add, as a cherry on top of the
cream: "Use Val IT to realize the benefits and the value gen-
erated by the process".
50.By way of a conclusion: if you seriously want to
implement good IT governance in your company/institu-
tion, just do it, using your own customized recipe, ad@pting
CobiT, ITIL, and Val IT. If you feel like it, drop a green
olive into the bowl.
51.If you do it right, youll be embarking on an endless
process (just like all successful projects).
52.If you see fit to request assistance from a consulting
firm, make sure they do not offer/deliver snake oil. The
more product-related or radical/exclusive the proposed so-
lution is, the more suspicious you should be.
J anuary 5, 2006,COBIT Versus Other Frameworks: A Road Map
To Comprehensive IT Governance by Craig Symons.
48 UPGRADE Vol. IX, No. 1, February 2008 Novtica
IT Governance
Keywords: Governance, IT Governance, IT Manage-
ment, Management.
1 Introduction
One of the less endearing behaviours of the IT industry
is to take terms that once had a meaning and then misuse
and overuse the word until the original meaning is all but
lost. Vendors are the main culprits, eager to redefine a
term to fit their offering, but the analysts are at it too, trying
to find creative new meanings for formerly well-understood
terms. Some authors, commentators and journalists con-
tribute simply by not understanding the proper meaning of
the term and so taking it to places it was never meant to go
"Management", "consultant", "solution", "knowl-
edge" there is a long list of victims. One of the latest is
"governance". In an attempt to stop the rot before this word
loses all usefulness, we should define what governance is
2 What Governance Is
Often the easiest way to understand something, is to first
define what it is not. However in the case of "governance,"
it is not difficult to define what it is, or rather what it was
back when the word had a clear agreed meaning. So let us
begin by defining the term.
The Concise Oxford Dictionary (Sixth Edition 1976)
defines "to govern" as "regulate proceedings of (corpo-
ration etc.)". Despite all that has been done to the word
since 1976, this is still the essence of governance: regula-
tion. And "regulate" is defined by the same source as "Con-
trol by rule, subject to restrictions; moderate, adapt to re-
Governance is the practice of controlling behaviour/ac-
tivity/process/practice by
Creating a controlling mechanism by defining roles,
responsibilities, decision rights, and accountability.
Setting the rules (the trendy word is "policy").
Defining the bounds to restrict behaviour.
Reacting to excess to bring it back within bounds.
Moving the bounds in response to changing require-
So there are two main functions to governance:
Directing. Setting and adjusting policy and bounds
in response to external stimulus: the behaviour the business
requires to survive, compete and comply.
Controlling. Enforcing the bounds in response to
internal stimulus: demanding metric reports and compar-
ing against the thresholds defined by the bounds; requiring
correction where metrics go over thresholds.
Governance is actually very simple in definition and
execution. Governors are not highly paid because what they
do is clever or complex. They are highly paid because they
carry the risk through their accountability for non-compli-
They say you cant manage what you cant measure. In
the same way you cant govern what you cant measure.
This is often interpreted to say that if we cannot measure
something we should not manage or govern it. This is in-
correct. If business requirements dictate a certain policy
and we cannot currently measure compliance with that
policy, then we have two options: (a) implement process
and tools to measure it or (b) accept the risk of an unregu-
lated policy. Better to make the risk transparent than to
leave the policy off.
In particular, changing technology means that the capa-
bility to measure is a lot more volatile than organisational
policy. If new metrics become available, it is easier to en-
force an existing policy than to introduce a new one.
One of the most powerful and widely applicable models
in IT is "people process things". (Often this is said as "peo-
ple process technology" but that is far too narrow. People
and process are underpinned by many artefacts such as
forms, books, files, even whiteboards and sticky notes).
Governance is first and foremost a state of mind, then an
activity, then the tools to enable and assist that activity. A
measurement tool on its own is not governance, despite what
the vendors claim, without the organisational attitude and
the repeatable processes to make it useful.
3 What Governance Isnt
Which brings us to our topic: what governance isnt.
The philosophers among us will remind that "what some-
What Governance Isnt
Rob England
This article makes a quixotic attempt to stem the corruption of the word governance. Governance is policy making and
policy policing. Anything else is management.
Rob England is a writer, entrepreneur and consultant. Rob
also writes under the pseudonym of The IT Skeptic <www.>. Rob lives with his family in a little house in a
little village in a little country far away <rob.england@>.
UPGRADE Vol. IX, No. 1, February 2008 49
IT Governance
thing is not" is an infinite topic. We will restrict ourselves
to "what governance isnt but people sometimes try to make
it". Here are seven interrelated areas often confused with
Measurement, reporting and audit.
Financial control.
Policy enforcement.
Vision and strategy.
3.1 Measurement, Reporting and Audit
Governance is not measurement or reporting or audit,
though it may employ these tools. As is the way of most
tools, these can be used for multiple purposes, one of which
is to report back to governors. Real governors seldom use
tools themselves: they require governance feedback infor-
mation from employees.
Doing the reporting or audit is not governance: it is ex-
ecuting the requirements of the governor. Dont let tool
vendors tell you otherwise. And "people process things": if
the activity of reporting is not governance then even more
so the tools are not governance. Nor do they enable or im-
prove governance. If you improve your culture and proc-
ess you might identify how tools could assist that improve-
ment, but implementing tools in a vacuum will not make a
3.2 Management
Governance is not management, at least not the opera-
tional activity that is the core meaning of management (or
was before the word lost all meaning). J ust because some-
one is making a decision does not make it governance. Most
decisions are not governance, they are management. Only
policy decisions are governance.
The government and the Governor do not operate a coun-
try: the civil service does that. The governors set policy,
rules, guidelines; they delegate the power to enforce them;
and they demand information and tribute.
Governance is one function of senior management, but
only as it is delegated. The ultimate responsibility for gov-
ernance rests with the owner, board of directors, or govern-
ment, depending on the type of organisation. The execu-
tion of governance can be delegated to executive manage-
ment: the accountability can not. In recent times, the
Sarbanes Oxley
Act has made that quite clear in the USA;
so too have various OECD, EC and national Acts and regu-
3.3 Optimisation
Governance is not optimisation
Governance asks "are we doing?" but not "how are
we doing it?" Profitability, ROI and other such operational
metrics are of interest to governors only in so much as they
have set policy to say "We must be profitable". How we
achieve this or why we are failing to achieve it are manage-
ment functions not governance ones. Executive manage-
ment is responsible of optimising the performance of the
organisation; governance is responsible only for ensuring it
remains within bounds.
3.4 Financial Control
Financial processes are not governance, not even con-
trolling processes. All financial management is part of the
operations of the organisation. Some financial metrics will
be required by governors to ensure operations remains
within financial policy bounds, but this is a small part of
what finance does and even then getting the data is not of
itself governance.
This includes many activities often tagged as govern-
ance: Project Portfolio Management (PPM), asset manage-
ment, budgeting, annual reporting Even fraud detection
is not governance: it is an operational security process.
Governance sets financial policy; financial management
executes it.
3.5 Policy Enforcement
Governance is not enforcement of policy. This is per-
haps the most common misuse of the word "governance".
Governors mandate that policy shall be complied with. They
measure to ensure the organisation remains within the
bounds of policy. But the day-to-day operational activity
of keeping the organisation within the bounds is manage-
ment not governance. Governors are watching not doing.
So bounds functions like risk management, change man-
agement, financial management, security and audit are not
governance. They are the means by which the organisation
satisfies governance requirements by keeping the organisa-
tion within the bounds of policy.
3.6 Vision and Strategy
Governance is not setting vision or strategy. Another
area that is often confused with governance is creating the
vision, setting the direction of the organisation, and devis-
ing strategy. Governors appoint an executive to do this,
and give them a framework and policy within which to do
it. In some organisations, the governors get actively in-
volved in the process and dont fully delegate it. But this
means that the governors are involved in high-level opera-
tions, not that the activity is part of governance.
3.7 Rule
Governance is not always rule. A king may rule but in
the modern model he/she does not govern. Equally in many
large organisations the nominal figure-head has little to do
with governance. A government minister or secretary has
only nominal control over his civil servants (watch "Yes
"The Sarbanes-Oxley Act of 2002 is a United States federal
law enacted on J uly 30, 2002 in response to a number of major
corporate and accounting scandals including those affecting Enron,
Tyco International, Adelphia, Peregrine Systems and WorldCom".
50 UPGRADE Vol. IX, No. 1, February 2008 CEPIS
Minister" on TV). The Chairman of the Board may do no
more than occupy the chair. Note that this is not a conse-
quence of simple delegation. The British people constitu-
tionally removed their monarchys right to govern at sword-
point. In theory the US president is answerable to the Sen-
ate (though in practice some would say the republic has an
emperor). The civil service in every nation evades control.
The Chairman may simply be ineffective.
4 IT Governance
So far we have talked about governance in general. This
magazine is about IT in particular, so what of IT governance.
If we focus on IT, does it change this discussion any?
The principles of IT governance remain exactly the same:
direct and control. The practices of IT governance are of
course more specific. IT governance is very well defined
by Val IT [1], that excellent product of the IT Governance
Institute [2]. Val IT starts slowly and looks deceptively light
after you have read it, but it is a nice comprehensive frame-
work for governing and managing value from IT.
Val IT defines IT governance as:
Ensure informed and committed leadership.
Define and implement processes.
Define roles and responsibilities.
Ensure appropriate and accepted accountability.
Define information requirements.
Establish reporting requirements.
Establish organisational structures.
Establish strategic direction.
Define investment categories.
Determine a target portfolio mix.
Define evaluation criteria by category.
Val IT also helps define what IT governance is not. It
describes Project and Portfolio management as:
Maintain a human resource inventory.

Establish an investment threshold.
Evaluate the initial programme concept business case.

Make and communicate the investment decision.
Stage-gate (and fund) selected programmes.

Monitor and report on portfolio performance.
and Investment Management as:
Develop a high-level definition of investment op-
Develop an initial programme concept business case.
Develop a clear understanding of candidate pro-
Perform alternatives analysis.

Assign clear accountability and ownership.
Initiate, plan and launch the programme.

Monitor and report on programme performance.
Retire the programme.
As we discussed already, governance is not operational
management, even where that management is the imple-
mentation of governance policy. Val IT agrees.
If we revisit our list of seven examples of areas that get
shoehorned into the definition of governance, we can see
how they have a different context within IT but they are not
4.1 Measurement, Reporting and Audit
In IT, we are blessed with the COBIT framework as a
useful definition of practices and metrics for measuring,
reporting and auditing IT. In addition there are of course
ITIL and CMMI and other frameworks that extend and com-
plement COBIT too. IT is something of a thought leader in
this area: try to find good KPIs for HR or marketing. We in
turn take our lead from manufacturing where TQM and Six
Sigma have pioneered many of ITs concepts.
4.2 Management
In the last decade or so we have moved from IT people
managing to managers managing IT: the understanding be-
ing that management is a skill that many IT people do not
grow into, and that effective management can be brought in
from outside IT. The rise of ITIL is a sign of that maturing
as non-IT managers look for effective frameworks to im-
pose. But IT managers do not govern. They serve their gov-
ernor masters like all managers do.
Most importantly, there is no such thing as IT govern-
ance in the sense that nobody within IT governs, except as
delegated from the governors. When we narrow our focus
to IT Governance, one thing does not change: the gover-
nors of the organisation own it. Accountability for IT Gov-
ernance rests with the Board, or owner, or minister/secre-
tary, just like any other governance. IT is governed just as
Manufacturing, Distribution, Finance, HR and so on are
governed: from the centre.
4.3 Optimisation
Again nothing changes. ITIL is not governance. Doing
things better within IT is part of the operational manage-
ment of IT. We do it to stay within governances policy
bounds, but we do it outside of governance.
4.4 Financial Control
IT does a lot to facilitate financial management and fi-
nancial governance by providing the software to make the
processes effective, but the tools are not governance any
more than a hammer is carpentry.
4.5 Policy Enforcement
IT plays a pivotal role in modern organisational policy en-
forcement in areas like audit and security, but we merely de-
liver to the operational processes that respond to policy: this is
a long way removed from calling what we do governance.
4.6 Vision and Strategy
It has been well argued of late that there should be no IT
strategy: IT is one aspect of the organisational strategy.
UPGRADE Vol. IX, No. 1, February 2008 51 CEPIS
Certainly ITs emergence as a function more aligned with
the business with outward facing management means we
push for a seat at the top table, but that does not mean CIOs
take a governance role. It means they take an executive
management role.
4.7 Rule
There is no distinct IT governance role so there is no
distinct ruler of IT, but try telling that to some CIOs.
In theory the practice of governance is simple, though
in practice not so. The definition of governance is simple:
policy making and monitoring. But the vendors will make
governance mean what they sell; the analysts will make it
mean something new and oh so clever; and many writers
will make it whatever they think it means. This articles
quest is probably futile: the word "governance" is doomed
just like "partner" and "paradigm" and "legacy" and "vir-
tual" before it. Maybe there is still a chance. You will make
this writer happy if just once you say "thats not govern-
ance" (see Table 1).
Table 1: Governance Keywords.
Governance is Governance isnt
Policy Strategy
Direction Execution
Assurance Audit
Rules Instructions
Making the owner accountable Ownership
Empowering Approving
Consider information Analyse data
Check a dashboard Measure and monitor
Require behaviour Modify behaviour
Process requirement Process execution
Reporting on compliance Reporting on performance

[1] IT Governance Institute. "Enterprise Value: Govern-
ance of IT Investments, The Val IT Framework", 2006.
Available for download at <
ContentManagement/ContentDisplay.cfm& ContentID
[2] IT Governance Institute. <>.
CMMI: Capability Maturity Model Integration.
COBIT: Control OBjectives for Information and related
ITIL: Information Technology Infrastructure Library.
KPI: Key Performance Indicator.
Six Sigma: A set of practices to systematically improve proc-
esses by eliminating defects.
TQM: Total Quality Management.
52 UPGRADE Vol. IX, No. 1, February 2008 CEPIS
Software Engineering
A View on Aspect Oriented Programming
Konrad Billewicz
Pro Dialog, 2007
This paper was first published, in English, by Pro Dialog (issue no. 23, 2007, pp. 13-20). Pro Dialog, <
prodial/prodialEn.html>, a founding member of UPENET, is a biannual journal published jointly, in English or Polish, by the Polish
CEPIS society PTI-PIPS (Polskie Towarzystwo Informatyczne Polish Information Processing Society) and the Poznan University of
Technology, Institute of Computing Science.
In this paper a wide view on aspect oriented programming is shown. The correlation with object oriented programming is
presented. The strengths of aspect oriented design over object oriented design are pointed out. The typical usage of
aspects is outlined. Several research and industry examples of aspect usage are provided.
Keywords: Aspect Oriented Pro-
gramming, J ava, Object Oriented Pro-
1 Introduction
Aspect oriented programming
(AOP) is a different way of thinking
about software development. This
paradigm has been researched for sev-
eral years since the publication of "As-
pect-Oriented Programming" [8] in
1997. The advancement of AOP is not
as fast as object oriented programming
(OOP) was. AOP is a popular subject
of AOSD (Aspect Oriented Software
Development) conferences [3], but
generally conference papers about this
paradigm rarely appear. Solutions
based on AOP slowly enter the market
and are rarely recognised as an AOP.
More often usage of AOP is hid-
den. In this paper we will describe what
AOP is, try to present the main advan-
tages of AOP, show how AOP and OOP
can complement one another and how
the AOP is currently used.
In Section 2 we will introduce the
basics of AOP. In Section 3 we will
Konrad Billewicz, Warsaw University of Technology, Institute of Computer Science.
look at AOP in comparison with OOP.
Some advantages of AOP over OOP
will be given. The typical usage of AOP
will be presented in Section 4. The
current research of AOP will be out-
lined in Section 5. In Section 6 we will
briefly describe several real-world im-
plementations of AOP based on J ava
technology. Section 7 contains some
2 Basics of Aspect Oriented
Briefly speaking, AOP allows us to
apply new code into the existing one,
and this operation is performed com-
pletely transparently. Using traditional
approaches would make a similar goal
difficult or even impossible to achieve.
In order to describe AOP more pre-
cisely, we will focus on showing AOP
primitives and interactions between
them. An example of a simple AOP
program will be provided. With this
knowledge, the basics of AOP should
be clear.
AOP is based on several primitives:
crosscutting concern, joinpoint, ad-
vice, pointcut, introduction, weaving
and aspect, all of which are described
Crosscutting concern though
most classes in an object oriented
model perform a single task, they of-
ten share a common, secondary func-
tionality. While the primary functio-
nality of each class is different, the
code responsible for performing the
secondary functionality is typically
identical. This identical code we call
the crosscutting concern.
Joinpoint is a location in the ex-
isting code where the new code is ap-
plied. Generally it can be any part of
UPGRADE Vol. IX, No. 1, February 2008 53 CEPIS
the code such as method execution start
or end, class field read or write, loop,
variable assignment or read. In popu-
lar J ava AOP implementations (briefly
described in section 6) only method
execution and field access are avail-
Advice is the new code that will
be applied into the existing code.
Pointcut is a construction that
selects joinpoints to which advice will
be applied. We rarely want to apply the
advice to every possible joinpoint, so
we need to select only some of the
Introduction is a new (intro-
duced) functionality of the class. For
example it can be method, field or
thrown exception. Introduction is dy-
namically added to the existing code
by AOP.
Aspect is a collection of advices,
pointcuts and introductions.
Weaving is a process of apply-
ing aspect to the existing code.
AOP separates crosscutting con-
cerns into single units the aspects.
The process of applying aspects into
existing code is called weaving. It
gives us the ability to apply new code
into the existing one.
When using AOP we start by im-
plementing the System using object an
oriented language (such as J ava). Af-
ter that we deal with crosscutting con-
cerns by implementing Core concerns
and Weaving rules (grouped into as-
pects) using an aspect language (such
as AspectJ [2]). The process of apply-
ing an crosscutting concern to the
object oriented System is presented in
Figure 1. After compilation we have a
single program.
Examples of using AOP in typical
implementations are given in section
4. A more detailed description of AOP
primitives can be found in [10].
For a better understanding of terms
introduced above we will consider an
example J ava class presented in Fig-
ure 2 and an example AspectJ aspect
presented in Figure 3. Output from the
program that was compiled and run is
shown in Figure 4.
The simple J ava class in Figure 2
contains three methods including two
starting with "say". One takes no pa-
rameter and the other takes a string pa-
rameter. Every method prints some-
thing to the console. The main method
calls both.
In Figure 3 an example aspect is
presented. It contains one pointcut
definition say-Pointcut. This definition
points to method calls in the program
(the call keywold), which have any
access scope and returns anything (the
first *), their class has any name (sec-
ond *), their name begins with "say"
(say* after the coma) and takes any (or
no) parameters (.. in the brackets) (for
full description of AspectJ syntax re-
fer to [10]).
We have two advices inside the
aspect. One of them executes before
declared pointcut (the before key-
word) and another after it (the after
The output of example AOP pro-
gram created by weaving
ExampleAspect into Example-Class is
presented in Figure 4. Both advices
have been invoked twice: before and
after two methods with name starting
with "say". The aspect has not been
woven before or after the method
which starts with "print", so advice is
not executed before or after the execu-
tion of this method.
3 Aspect and Object Oriented
AOP is a paradigm completely dif-
ferent from the one presented by OOP.
OOP is built upon primitives, such as
objects and relations between them,
while AOP is focused on aspects
weaved into objects. At the first sight
these two paradigms seem to be the
alternate but this is not true. OOP and
AOP can live together in one program
and supplement one another.
OOP is a paradigm which allows
us to build an information system rep-
resenting the real world or an imagined
environment. Objects represent entities
from the domain, while relations be-
tween objects represent the relations
between these entities.
This idea is straightforward and
powerful. On the other hand, some-
times it can be very difficult to imple-
ment such an environment due to its
Figure 1: Compilation of AspectJ Program [10].
54 UPGRADE Vol. IX, No. 1, February 2008 CEPIS
Figure 2: Example J ava Class.
The solution to the problem men-
tioned is the AOP. It is suitable to han-
dle crosscutting concerns in an ob-
ject oriented model. By handling these
concerns we are able to remove some
relations between objects from the
By doing this, we are reducing model
complexity and simultaneously preserv-
ing information which has been con-
tained in these relations. When using
AOP, information about removed rela-
tions is stored in the aspects. In this ap-
proach aspect is preferred over relation.
Replacing relations with aspects
makes objects less coupled and de-
creases the object oriented model com-
plexity. This approach is presented in
detail in [13].
The usage of AOP does not rule out
from using OOP. These two paradigms
can exist in the project together and
complement each other. Object ori-
ented elements of the environment
objects are superior to AOP elements
aspects. Objects are connected with
relations and interact with one another
while aspects handle crosscutting
concerns. In this approach the usage
of aspects is transparent for objects.
That is the reason why objects can be
less coupled they do not need to
know about the logic nested inside as-
pects and do not depend on them.
4 Typical Usage of Aspect Ori-
ented Programming
In this section we will focus on
typical usage of AOP. We will consider:
aspect oriented logging,
aspect oriented authentication,
aspect oriented cache,
aspect oriented transaction
The most representative and the
most frequently used AOP implemen-
tation is aspect oriented logging. Log-
ging is an excellent example of cross-
cutting concern. A logging should be
completely transparent for the rest of
the system and none of the system com-
ponents should depend on it. Besides,
a logging should be a separate module
which can be easily plugged in and out
of the system. It is an ideal candidate
for an aspect implementation. An ex-
ample of such an implementation can
be found in [12]. In the paper the mi-
gration of a J ava program logging ar-
chitecture from object oriented to as-
pect and object oriented is presented.
The effectiveness of this modification
is validated with a technique based on
DSM (Design Structure Matrix). An-
other example of AOP-based logging,
implemented in COBOL, can be found
in [11]. Usage of aspect oriented log-
ging in advanced, real-world systems
is presented and discussed in [1]. An
implementation of a logging module in
the AspectJ language can be found in
Another typical usage of AOP is
authentication. If a user wants to ac-
cess a resource that is not allowed to
be retrieved by all users, authentica-
tion should be performed. Secured re-
source access can be needed anywhere
in the program. The other modules of
the program should not be aware of the
fact that a user has to authenticate and
how this authentication is performed.
Besides, no part of the program
should depend on the authentication
module. This is an example of cross-
cutting concern. A migration to this
AOP-based approach can be found in
[12]. Guidelines about AOP authenti-
cation implementation in the AspectJ
language can be found in [10].
Cache management is another
popular application of AOP. Objects
interacting with each other do not need
to know about caching. It is an ideal
candidate to be implemented using
AOP. We can assign aspects to inter-
cept request to the objects we would
like to cache. During this interception
aspect checks if the object currently
requested is in the cache (cache can be,
for example, a memory). If it is, we are
simply returning it. High cost operation
such as retrieving data from a database
UPGRADE Vol. IX, No. 1, February 2008 55 CEPIS
can be skipped. If the object is not in
the cache, we are simply performing
the original request. In both scenarios,
the main program in not aware of the
cache presence. Implementation of
caching in the AspectJ language can be
found in [10].
A more advanced but still typical
usage of AOP is transaction manage-
ment. Transaction management is a
functionally behind the main logic of
the program. Handling it inside the
logic often results in a very compli-
cated and hard-to-understand code.
Using aspects which guard transac-
tions instead of the objects makes the
code easier to understand. Guidelines
about handling transaction manage-
ment with AspectJ can be found in [10].
A discussion about implementing
transactions using AOP can be found
in [9].
5 Research on Aspect Ori -
ented Programming
More advanced ways of using AOP
are being researched. Aspects are not
fully explored and their potential is not
completely understood nowadays. In-
teresting areas where AOP can be use-
ful are:
AOP based program architecture,
OOP patterns incorporation,
refactoring existing programs
with no source code available.
These three issues will be discussed
in this section.
Researchers try to base the archi-
tecture of their programs on AOP. It is
a challenge because the usage of as-
pects in this manner in not as straight-
forward as in basic usages (presented
in section 4), such as logging. An in-
teresting example of implementing
program logic using AOP can be found
in [15]. The paper presents a concept
of an AOP design where a complex
object oriented environment is built
using a very simple model which han-
dles only the simplest use cases. The
more advanced use cases are handled
using AOP. Aspects are weaven into
objects responsible for complex ac-
tions. When an action is going to be
performed, the aspect recognizes it and
performs the action instead of the ob-
ject (but can execute the object logic
as well). This approach makes objects
simple and easy to understand while
the complexity is held inside separate
aspects. A similar attempt is presented
in [10]. In the book the concept of di-
viding business rules into two groups
is presented.
Core and constant business rules
are programmed typically, while vari-
able business rules are implemented
using AOP.
Another subject of AOP research
that is advanced but still popular
among researchers is an attempt to in-
corporate OOP patterns (such as these
described in the book Gang of Four
[5]) using AOP. Some papers present
migration techniques that allow imple-
menting object oriented patterns using
AOP [6]. Other concentrate on per-
formance and the improvement of
separation of concerns [7].
Some of the AOP implementations
(such as AspectJ [2]) have another use-
ful functionality an ability to weave
aspects into the existing bytecode. This
allows us to modify or add new func-
tionality to the existing programs or li-
braries with no source code available. A
study and examples of using this very
interesting functionality can be found in
6 Aspect Ori ented Program-
ming in the Industry
The most popular implementation
Figure 3: Example AspectJ Aspect.
Figure 4: Output from Example AOP Program.
56 UPGRADE Vol. IX, No. 1, February 2008 CEPIS
of AOP for J ava is AspectJ [2]. We
write aspects in a specialized language,
somewhat similar to J ava, extended
with structures used for defining an
aspect such as pointcut or advice.
Aspects written in AspectJ lan-
guage have to be compiled by an
AspectJ compiler. This compiler is
compatible with the standard J ava
compiler and produces class files that
can be run on any J ava-compatible vir-
tual machine.
The AspectJ compiler offers an
option to weave aspects not only into
J ava source code but also into com-
piled J ava classes (more about research
in this area can be found in Section 5).
Another implementation of AOP
for J ava is proposed by Spring Frame-
work [14]. This framework is based on
Dependency Injection paradigm closely
connected with AOP (for more informa-
tion about Dependency Injection refer to
Spring Framework documentation at
Spring AOP framework has unique
functionality that allows us to use AOP
features without recompiling the pro-
gram. This is possible due to the inte-
gration with the entire Spring Frame-
work which handles the lifecycle of
objects in the program.
On the other hand, this approach
has its disadvantages. Firstly, Spring
AOP is only able to handle method
execution joinpoints. Secondly, this
approach can cause significant per-
formance issues.
7 Conclusions
The main advantage of AOP is that
it can complement OOP. These two can
exist in the project together and sup-
plement each other. It gives us a chance
to improve areas where the object ori-
ented paradigm is not suitable.
Another AOP advantage is the abil-
ity to solve problems impossible to
solve using OOP such as crosscutting
concerns, effective pattern implemen-
tation or bytecode refactoring.
AOP has a huge undiscovered po-
tential. Several areas where this prom-
ising technology can be suitable are
being exploited by industry or re-
searched. But many areas still wait for
their explorers.
[1] Akkawi, F., Akkawi, K., Bader,
A., Fletcher, D., Duncavage, D.,
Using Aspect-Oriented Technol-
ogy in the Design of Advanced
Diagnostic Systems, IASTED In-
ternational Conference on Soft-
ware Engineering, I nnsbruck
[2] AspectJ, <
[3] Aspect-Oriented Software Devel-
opment, <>.
[4] Cheng, L.-T., Patterson, J., Rohall,
S. L., Hupfer, S., Ross, S., Weav-
ing a Social Fabric into Existing
Software, AOSD05, Chicago
[5] Gamma, E., Helm, R., J ohnson,
R., Vlissides, J ., Design Patterns:
Elements of Reusable Object-Ori-
ented Software, Addison-Wesley,
[6] Garcia, A., SantAnna, C.,
Figueiredo, E., Kulesza, U.,
Lucena, C., von Staa, A.,
Modularizing Design Patterns
with Aspects: A Quantitative
Study, AOSD05, Chicago 2005.
[7] Hannemann, J ., Kiczales, G., De-
sign Pattern Implementation in
J ava and AspectJ , OOPSLA02,
Seattle 2002.
[8] Kiczales, G., Lamping, J .,
Mendhekar, A., Maeda, Ch., Lopes,
C. V., Loingtier, J.-M., Irwin, J., As-
pect-Oriented Programming, in:
Proceedings of the European Con-
ference on Object-Oriented Pro-
gramming (ECOOP), Lecture
Notes in Computer Science 1241,
Springer-Verlag, 1997.
[9] Kienzle, J ., Glineau, S., AO
Challenge Implementing the
ACID Properties for Transac-
tional Objects, AOSD06, Bonn
[10] Laddad, R., AspectJ in Action,
Manning Publications Co., 2003.
[11] Lmmel, R., De Schutter, K., What
does Aspect Oriented Programming
Mean to Cobol?, AOSD05, Chi-
cago 2005.
[12] Lopes, C. V., Bajracharya, S. K.,
An Analysis of Modularity in As-
pect Oriented Design, AOSD05,
Chicago 2005.
[13] Pearce, D. J ., Noble, J ., Relation-
ship Aspects, AOSD06, Bonn
[14] Spring Framework, http://www.
[15] Zhang, Ch., J acobsen, H.-A., Re-
solving Feature Convolution in
Middleware Systems,
OOPSLA04, Vancouver 2004.
UPGRADE Vol. IX, No. 1, February 2008 57
CEPIS Working Groups
Authentication Approaches for Online Banking
CEPIS Legal and Security Special Interest Network
Authentication is essential part of modern e-commerce, particularly in online-banking. Owing to the popularity and wide
use of on-line banking unwanted side effects aroused; i.e. abuses, activities by malicious and criminal users and rise of
organized criminal attempts (e.g. phishing). This paper surveys contemporary authentication approaches taken by Euro-
pean banks and further argues that complex and error prone security measures do not provide any security improvement,
but rather discourage or prevent users easily entering the electronic market place. Additionally, recommendations are
given, which are targeted at different parties; i.e. banks and other financial institutions and organizations, governments
and regulators, professionals and customers. For every group specific recommendations are suggested.
Keywords: Authentication, Certificate, Online Bank-
ing, Password, Phishing, Security, Smart Card.
1 Introduction
Performing financial transactions via an online connec-
tion to a bank or other financial institution is cheaper and
faster than conventional means of conducting business. Yet
despite the obvious advantages, there is still a reluctance to
use it as the primary method of conducting business be-
cause of the risks associated with it. Consequently, banks
are introducing new safety mechanisms to prevent attacks
and increase trust. Besides the usual methods, additional
ones are applied for authentication. As the voice of Euro-
pean IT practitioners, the CEPIS Legal and Security Ex-
perts Group is concerned that the use of security technol-
ogy does not increase security but makes services less ap-
pealing to use. On the other hand, alternative approaches,
which could raise security for users, are rarely employed if
at all. Based on these findings, CEPIS strongly recommends
that unnecessarily complex or cumbersome security tech-
nologies should not be applied. A cost-benefit analysis
should be performed to assess the effectiveness of protec-
tion and the trade-offs for all parties involved.
2 Authentication Approaches
The supply of online banking is increasing. Because
banking activities are highly sensitive, higher security stand-
ards are required. In order to increase security, banks em-
ploy two-factor authentication, which involves something
the user knows (e.g. password, PIN) and something the user
has (e.g. smart card, other hardware token). Although the
actual application may vary, most banks use the second au-
thentication factor (a token that the user possesses).
The types of authentication schemes can be classified
as follows:
a one-time password approach;
a certificate-based approach;
a timer-based (short) password approach;
a certificate - smart card based approach.
The CEPIS Legal and Security Special Interest Network (LSI
SIN) is an experts group within CEPIS comprising of individuals
from several Computer Societies across Europe. It is chaired by
Professor Kai Rannenberg, from the Institute of Business
Informatics at the Goethe University, Frankfurt (Germany). The
groups Secretary and main editor of this statement is Marko
Hlbl from the Faculty of Electrical Engineering and Computer
Science, University of Maribor (Slovenia). For more information
please contact: Fiona Fanning, Policy and Communication
Executive <>.
The above approaches have their advantages and disad-
vantages. The trade-offs are often in the following areas:
resistance against attacks;
costs for the bank and/or the customer;
ease of use;
The approaches and their advantages are discussed in
the CEPIS background paper. While the goal is to find a
solution that is best in all dimensions, in most situations a
prudent way to deal with the trade-offs is needed.
3 Trade-offs and How to Deal with Them
A typical trade-off is between the one-time password
approach and the smart card approach. The one-time pass-
word approach is cheaper and less demanding, while the
smart card approach is more robust against attacks. In this
situation, a risk analysis must be carried out and a choice
offered so that users can select the method that fits their
preferences for potential risk and other factors.
4 Concerns
We recognise the dangers related to online banking.
While some degree of imperfection will always exist, we
are more concerned about the use of methods that do not
58 UPGRADE Vol. IX, No. 1, February 2008
improve security but make services harder to use. Some
security measures do not raise the security level and only
give an erroneous impression of security, while alternative
approaches that could increase security are rarely used or
not at all.
Consequently, we have serious concerns:
1. The tendency to use complex and error-prone secu-
rity measures that do not provide any security improvement
is an unnecessary burden that will discourage or prevent
users from easily adopting electronic business in general;
this conflicts with the European Unions goals for a com-
mon electronic marketplace.
2. Unfavourable media coverage of security measures
may damage the reputation of all security endeavours, re-
sulting in consumers loss of confidence and trust in secu-
rity technologies. Such distrust is damaging as it makes it
more difficult to react efficiently to new security threats.
3. We are concerned about unprofessional behaviour
demonstrated by not fixing evident shortcomings. We are
worried about the damage that such behaviour might cause
to the publics view of the ICT professions reputation.
5 Recommendations
Recognising the importance of online access as one of
the vehicles for the development of cheaper, faster and more
reliable services, we have identified areas of improvement
where all parties involved should endeavour to deploy serv-
ices without unnecessary or excessive risks. Based on the
findings of our professional working party, CEPIS has for-
mulated recommendations to four groups of stakeholders,
1. Banks and other financial institutions and organisations;
2. governments and regulators;
3. professionals;
4. customers.
5.1 Recommendations to Banks and Other
Financial Institutions and Organisations
We strongly recommend that unnecessarily complex or
forbidding security technologies should not be used. In-
stead, a cost-benefit analysis, covering primarily the fol-
lowing points should be carried out:
1. An assessment of the effectiveness of a planned pro-
tection compared to the existing one;
2. An assessment of burdens for all the involved parties.
Customers should be informed of the risks, existing se-
curity measures and of their rights in case of fraud. Banks
should inform their customers of their rights and of the help
available to compensate for their loss in an easy-to-under-
stand manner such as e.g. air travellers have in all EU air-
ports. Customers should also be given the choice of differ-
ent methods for authentication and be able to select a sys-
tem that matches their approach to risk and their prefer-
Financial institutions and organizations should inform
their customers that security measures on their computers
are vital for secure online banking and that security must be
constantly maintained.
In case of fraud, the bank should offer all possible as-
sistance to the affected party, especially as the capabilities
of a bank considerably exceed those of a citizen.
No practitioner should be considered as qualified to work
for a bank or to provide services to a bank without being a
member of a professional association that has adopted a code
of ethics.
5.2 Recommendations to Governments
Where existing laws are not sufficient, legislation should
be put in place to protect customers in cases of online bank-
ing frauds and to compensate for customers losses in pro-
portion to the adequacy of the bank security measures.
Customers should not be the only ones to carry the bur-
den of the consequences of criminal acts related to online
banking, especially if such acts are facilitated by (insuffi-
cient) bank security measures.
Legal obligations should be put in place to inform cus-
tomers of existing security measures and of their rights in
cases of fraud.
5.3 Recommendations to Professionals
We encourage professionals to uncover the problems of
inadequate security technologies and work towards fixing
these problems.
Professionals should decline to provide their services to
banks in certain cases, for example when the cost of bank
transactions is not transparent, transactions are vulnerable
and when there is a possibility of personal data being dis-
5.4 Recommendations to Customers
Customers are encouraged to enquire about security
measures and to read the small print of the conditions of
services. They are encouraged to consider the security of
their electronic transactions when choosing the bank, not
simply to opt for the cheapest offer or for the most aggres-
sive marketing campaign.
Customers should continuously maintain the security of
their computers in order to support secure online banking.