IT Governance

The exploitation, control and measurement of information and technology resources

IT Governance is not a state; it is a process, an ongoing undertaking that will constantly

be redefined. IT Governance is inherently tied into corporate or enterprise governance,
and will both reflect and help shape the changes that organisations undergo over a period
of time. IT Governance cannot be implemented per se, but it can become part of the
organisational culture, and there are numerous tools, technologies, and methodologies
available to assist in the cultural changes that IT Governance process brings.

IT Governance crosses over into major implementations. CRM allowed organisations to

provide better levels of customer service, to outface their operations, to globalise their
front office applications. ERP systems tied together the back office operations in a similar
manner. Integration, amongst other requirements, tried to tie these front and back office
systems together. Finally, Web services is starting to force a reconsideration of the way
that organisations offer their services.

IT Governance affects all these areas, and has an impact on another major emerging
area. Organisations are spending millions of – insert currency of choice – on these three
areas alone, yet one has to seriously question three aspects of this spend. Firstly, who is
involved in the decision-making process, and at what level of responsibility? Secondly,
what checks, controls, and measurement practices are put into place to oversee these
huge implementations, and who oversees these? Finally, who bears the ultimate
responsibility for failure, and is that person the one most heavily involved in the initial
decision-making process?

The Report looks at the various interpretations of IT Governance and puts forward Butler
Group’s specific view on exactly what IT Governance entails both in terms of concept and
in the reality of putting the process in place.

The Report shows:

 A proven methodology for commencing IT Governance.

 The external Governmental and legislative forces that make IT Governance a
necessity.
 The tools available to manage the IT Governance process.
 The socio-political changes that IT Governance will bring to an organisation.
 The realities of getting the IT Governance process in place as part of a supervisory
control process.
 The value that IT Governance will bring to an organisation.

The Vendors Included in this Report:

Product Profiles – Balanced Scorecard

 ActiveStrategy
 CorVu
 Crystal Decisions
 Lawson Software
 SAS

Product Profiles – Change Management

  Applied Innovation Management (AIM)
 Computer Associates (CA)
 IBM Rational Software
 Merant
 Mercury Interactive
 Network Associates
 Serena Software

Product Profiles – Portfolio Management

 Alinean
 Artemis International
 Business Engine
 Changepoint
 Lawson Software
 Mercury Interactive
 Niku
 PlanView

Product Profiles – Risk Management

 Decisioneering
 Methodware Ltd.

Report Structure

The Report has been structured for ease of use by separating out sections that will be of
relevance to different people within the organisation.

Section 2 – Definition and Introduction

After the Management summary, Section 2 creates a definition for IT Governance and
raises some of the key issues that will be discussed in later sections of the Report.

Section 3 – Value of Governance

In this section we look at the positive aspects of IT Governance. How cost savings can be
made and how the use of information will drive organisations to new business models and
create new opportunities.

Section 4 – Practicalities of Governance

This section looks at four key areas for IT Governance: Balanced Scorecard, Change
Management, Portfolio Management, and Risk Management. It also introduces a model
methodology that can is abstracted from the implementation of an Enterprise Architecture
and placed within the IT Governance framework.

Section 5 – Regulations

As many of the drivers for IT Governance come from external forces, in this Section we
look at some of those forces, including Sarbanes-Oxley and Basel II, and discuss the
implications of these legislations. We also consider an existing solution for Sarbanes-
Oxley compliance.
Section 6 – Product Profiles

Here we discuss the tools that aid the ongoing process of IT Governance. This is split into
four key areas discussed in Section 4 – Balanced Scorecard, Change Management,
Portfolio Management, and Risk Management.

Section 7 – Case Studies

As IT Governance is a process, it differs in terms of implementation. In this Section we

highlight six organisations that are undertaking the IT Governance process and how this
is being carried out.

Management Summary

IT Governance is not a state; it is a process, an ongoing undertaking that will constantly

be redefined. IT Governance is inherently tied into corporate or enterprise governance,
and will both reflect and help shape the changes that organisations undergo over a
period of time. IT Governance cannot be implemented per se, but it can become part of
the organisational culture, and there are numerous tools, technologies, and
methodologies available to assist in the cultural changes that the IT Governance process
brings.

Before any major undertaking an organisation has to ask four key questions: Why?
What? How? When? IT Governance is a major undertaking, and as such requires the
answers to these four questions – and to state that IT Governance is a major undertaking
is to understate the issue. IT Governance is the largest undertaking that any organisation
will face. Forget ERP and CRM systems; forget integration; forget moving to Web
services. The complexities within all of these will pale into insignificance compared to
undertaking the IT Governance process.

Given these complexities, the obvious response would be to ask the first of the
questions. Why? Explain the benefits! CRM allowed organisations to provide better levels
of customer service, to outface their operations, to globalise their front-office
applications. ERP systems tied together the back-office operations in a similar manner.
Integration, amongst other requirements, tried to tie these front- and back-office
systems together. Finally, Web services is starting to force a reconsideration of the way
that organisations offer their services.

The ‘why?’ question for IT Governance affects all these areas, and has an impact on
another major emerging area. Organisations are spending millions of – insert currency of
choice – on these three areas alone, yet one has to seriously question three aspects of
this spend. Firstly, who is involved in the decision-making process, and at what level of
responsibility? Secondly, what checks, controls, and measurement practices are put into
place to oversee these huge implementations, and who oversees these? Finally, who
bears the ultimate responsibility for failure, and is that person the one most heavily
involved in the initial decision-making process?

The one thing that IT Governance does at the highest level is to raise questions. What it
does after the process is running is to either answer those questions or make them
redundant. That is the true benefit of IT Governance. No longer will decisions be made by
the wrong people for the wrong reasons (wittingly or unwittingly). No longer will
organisations find themselves having to excuse ‘bad’ decisions. Bad decisions will still be
made (no process will ever overcome that), but they will have been made for the ‘right’
reasons. This is not semantic puffery; it is an important factor of corporate decision-
making.

This leads to the other major area, mentioned previously, another ‘why’ for IT
Governance; changing external forces. More specifically, IT Governance is a prime
requirement to ensure compliance with the raft of new legislation that is starting to
appear in the wake of the well-publicised financial mismanagement of high-profile
companies. Prime amongst the plethora of this new legislation is the Sarbanes-Oxley Act.
This Act not only changes the financial reporting requirements of organisations covered
by the Act, it effectively shifts the balance of power within those organisations; creating a
whole new corporate culture and hierarchy.

To understand the reasoning behind this it is necessary to consider the typical

hierarchical/control structures that exist within most organisations. The finance
departments are seen as the true controllers of organisations. Not only do they control
overall budgets, but they also have a huge say in the way that departmental budgets are
allocated. This position at the top of the corporate tree has an historical basis. As the
department most affected by external regulations, it transmuted that into control based
on the liability=control logical equation. If the finance department failed to comply with
regulations then the CFO would bear the ultimate responsibility. This translates as:

“As I will bear the penalty for failure, then I must have the final decision.”

A perfectly acceptable and understandable view. However, this control has extended past
the liability=control equation and infiltrated into other areas. Typically, the CIO can make
recommendations that may be over-ruled by the CFO. Given the control that exists within
most organisations, failure is difficult to apportion – the CFO still has control, but the
liability element has all but been removed. Control equates to power, and power is a
heady drug. Hardly surprising that CFOs are unwilling to cede power to another part of
the organisation; to provide autonomy.

The situation as it exists at the moment is that the CIO is allowed to ‘administer’ IT,
whilst the CFO ‘controls’ it. Sarbanes-Oxley throws the historical perspective out of the
window, by introducing another element into the equation. That element is ‘level of
liability’ or ‘penalty for failure’. Given the furore that accompanied the light (or non-
existent) penalties for corporate malfeasance demonstrated against certain individuals
recently involved in financial collapses of large corporations, it is hardly surprising that
the Securities Exchange Commission (SEC) have publicly declared an intent to provide
greater protection to stakeholders in public companies. Although the initial move is
towards tightening up controls, there is little doubt that failure to comply will be met with
stronger action than has been the case in the past. There is a whole new ball-game in
town, and it is Sarbanes-Oxley. We can even detail the one specific Section that will force
the shift of power; Section 409, which states:

Each issuer reporting under section 13(a) or 15(d) [of the Securities Exchange Act of
1934] shall disclose to the public on a rapid and current basis such additional information
concerning material changes in the financial condition or operations of the issuer, in plain
English, which may include trend and qualitative information and graphic presentations,
as the Commission determines, by rule, is necessary or useful for the protection of
investors and in the public interest.

Reading that must make any CFO’s blood run icy cold. It is almost impossible to pick out
one single key word or phrase in this innocuously short paragraph, but if one were to
make the attempt, then one would most likely choose ‘operations’. The operational
aspect of an organisation is held within the IT systems, and the person best placed to
understand what IT systems are required for compliance with Sarbanes-Oxley is the CIO.
If that person should require new systems for compliance he/she is unlikely to be over-
ruled by the CFO, because by so doing the CFO would have removed any defence of
‘reasonable care’. If it could be demonstrated that the CFO of an organisation had vetoed
the implementation of systems for Sarbanes-Oxley compliance, then it could be
demonstrated de jure that he/she was in breach of the Act.

So we are reaching a situation where, for the first time and due to the same external
legislative forces that gave the CFO the over-riding controlling voice, the CIO will have
control. For these reasons, we at Butler Group have coined the phrase: IT is the new
accounts.

Although the external pressures that will force this change in the corporate socio-political
ecosystem may appear negative – talking of blame, culpability, and penalties – the
benefits of this enforced shift are in fact positive. The one simple reason for this is that
control or governance is always best held by the person closest to the problems and
issues and best qualified to deal with those problems and issues. IT Governance is
putting control where it belongs; in the hands of the CIO.

Although here are other reasons for the ‘why?’ of IT Governance, if there is one single
defining reason that cannot be overcome then that should suffice. However in Section 3
of this Report we detail some of the benefits that come with IT Governance; considering
the more positive aspects. Not least of these is the better understanding and
management of the informational assets contained within an organisation.

As budgetary constraints are high on everyone’s agendas, it is worth considering the fact
that the cost of managing these informational assets and utilising them throughout the
enterprise typically run at 30% of the indirect cost-base of an organisation. IT
Governance allows better use to be made of the available resource, which will drive down
these costs and increase their usage.

To move on from the ‘why?” element of IT Governance and consider the ‘what?’ aspect,
we can look at the most oft-used description of IT Governance, which runs along the
lines of: IT Governance is the aligning of corporate and IT strategy.

As a single line explanation goes, one could say that it serves its purpose, but it really
falls far short of a true explanation. The problem is with the verb tense. IT Governance,
when properly initiated as an ongoing process, might have an end result of creating an
alignment of IT and corporate strategy, but it does not per se do the aligning in the
active sense. Nor, to continue this theme, should it have that as a primary purpose.

As discussed in more depth in Section 2 of this Report, IT Governance is concerned with

control by the person most qualified to provide the value from the IT department.
Mention has been made already of the 30% cost element of managing and utilising the
informational assets of an organisation, which is the direct responsibility of the CIO. We
can add to this a smaller element, typically around the 3% mark of total indirect costs,
for managing and implementing the infrastructure. Thus the CIO is faced with a cost
responsibility of over one-third of the total indirect costs of an organisation.

Although these figures are generalisations, and will vary from organisation to
organisation, they are fair reflection of a median. Given this, it is unarguable that this
level of cost responsibility can be undertaken without the total ability to manage the
department in an autonomous manner. Autonomy does not indicate separateness from
the rest of the organisation; it simply means the right to govern with respect to local or
internal affairs. There is nothing inherently different about the IT department than
Finance, or Sales and Marketing. Each department within an organisation governs its own
affairs with regard to the affairs of the whole organisation.
The truth of the matter is that any department will only be aligned with the organisation
in its aims, aspirations, and implementations if it has local governance. If control is
passed to the wrong people, then alignment becomes that much more difficult – if not
impossible. If control is placed within the right hands, we can add a third responsibility to
the two cost-based ones previously highlighted. This third responsibility is:

 · Responsibility for value creation and strategic direction in conjunction with other
departments that have autonomous management.

The model thus created is local management for centralised governance. This is not a
new model; it is the way all organisations work. The fact that we are discussing this
problem at all has historical roots. Each and every department within an organisation
that is currently seen as an element of the governance of the organisation has undergone
the same process of acceptance of importance to the whole entity. It is simply that IT is
the newest of these.

At this point one has to resist the temptation to talk about IT as the most important
element within an organisation. Although it is a fact that IT underpins the way that
business is transacted in a global economy, it is no more or less important than the other
elements. To think differently is to fall into the trap that has created the disjoin between
IT and the body corporate, which IT Governance is seeking to redress.

In truth, defining IT Governance is no facile task. Not only does it mean different things
to different people, the levels and methods of instantiating the IT Governance process
are many and varied; as can be seen from the Case Studies included in Section 7 of this
Report. The people and organisations who have allowed Butler Group to write about their
views and methods are to be commended. They have demonstrated a willingness to
expose their beliefs to a wide audience. Even though their views and methods may be, of
necessity, specific to their particular organisations, there is much to be learnt from
understanding their experiences. If the ‘what?’ of IT Governance is difficult, the ‘how?’ is
doubly so. What is clear however, is the requirement for two main elements. Firstly, a
strategic methodology to ensure that IT Governance does not turn into IT segregation.
Placing control into the proper hands is not a process that should be undertaken without
the involvement of everyone. This is especially true of IT, as the expectation for the
possibilities raised by technologies differ according to which stakeholder group one
belongs.

The question of stakeholders is an interesting one, as IT has to perform a balancing act

in an attempt to satisfy the expectations of this diverse group. A stakeholder can be
described in the following manner:

Any individual or third-party organisation that has an interest in, or an expectation of,
the performance of an organisation with which they have contact.

Thus, a non-exhaustive list based on that definition would include:

 Employees.
 Trading partners.
 Shareholders.
 Customers or clients.
 Governmental agencies.

Each of these individual groups has distinct expectations as to the use of information,
and the value of IT in general. These differing expectations can be conflictive. IT
Governance can not only help resolve some of these conflicts, but can also give proper
weight to the fulfilment of each expectation.
In Section 3 of this Report we take a closer look at the expectations of the various
stakeholders; their points of synergy and their points of conflict as they relate to the
value of information within an organisation. For obvious reasons (the 30% cost base is
one) we have chosen the value of information as a prime area on which to concentrate.
The other reason for concentrating on this area is that it is becoming apparent that the
vast majority of stakeholders are seeing information as a major differentiator between
organisations.

Although IT Governance is a process, and not an out-of-the-box solution, there are tools
that one can associate with it. Many of these are concerned with leveraging the benefits
of IT and answering the strategic requirement of corporate and IT alignment. In general
terms, the available tools and solutions can be used to create greater transparency
between IT and the rest of the organisation.

Again, with cost and making best use of available resource, such vital elements in all
areas of corporate planning, the use of Portfolio Management tools will be of especial
interest. These can be utilised with Risk Management tools to better understand the risk
elements within strategic planning and during implementation and execution cycles.
Visibility of success can be handled with the new generation of Balanced Scorecards, and
the change process is easier to control with the use of Change Management tools. Fuller
details on the use of these and their role within the IT Governance space is discussed in
more depth in Section 4 of this Report. There are also a number of detailed product
instances provided in Section 6.

As part of Section 4 of this Report, we have included a detailed study of architectural

governance for an Enterprise Architecture (EA), which describes a structured
methodology for putting together the teams required to aid in implementing EA. This is
transferable, with some modification, to other aspects of instantiating the IT Governance
process, and provides a strong foundation for the ‘how?’ element.

In our journey through the four questions of IT Governance, we are left with but one; the
‘when?’ In fact, this has already been answered with the discussion on external forces.
These forces are coming into play now, and although they may not have legal standing
with every organisation, all the indications are that they are having a knock-on effect.
We will return to Sarbanes-Oxley as an example.

Sarbanes-Oxley is only relevant to public companies quoted on the US stock exchanges

and companies that report into such companies. However, Butler Group strongly believes
that the visibility required by the Sarbanes-Oxley Act will be taken as a marker for other
companies, both public and private. Given the nervousness of IT investors at the current
time, we see compliance with Sarbanes-Oxley (even if not enforceable by law) as a
benchmark for creating investor confidence.

Therefore the ‘when?’ question is the easiest to answer, and that answer is ‘now’. IT
Governance, as a process has so much to offer that ignoring it for any length of time can
have nothing but a detrimental effect upon organisations. The methodologies inherent
within putting the process in place will create a much tighter organisational infrastructure
allied to a more responsive and agile organisational response mechanism. It provides
visibility of cost and resource handling both intra- and inter-organisationally, which
provides the confidence all stakeholders require to continue with onward investment.

Contents

Section 1: Management Summary

Section 2: Definition and Introduction

Section 3: Value of IT Governance

3.1 Role of Information

3.2 Architectural Imperatives
3.3 Architecture and Governance

Section 4: Practicalities of Governance

4.1 Balanced Scorecard and KPIs

4.2 Risk Management
4.3 Portfolio Management
4.4 Change Management
4.5 A Model Methodology

Section 5: Regulations

5.1 Sarbanes-Oxley
5.2 Data Protection
5.3 Money Laundering
5.4 Basel II

Section 6: Product Profiles

Product Profiles – Balanced Scorecard

ActiveStrategy – ActiveStrategy Enterprise Edition

CorVu – CorStrategy
Crystal Decisions – Crystal Performance Scorecard
Lawson Software – Scorecard
SAS – IT Value Management

Product Profiles – Change Management

Applied Innovation Management (AIM) – Change Management Expert 6.0

Computer Associates (CA) – AllFusion Change Management Suite
IBM Rational Software – Unified Change Management
Merant – Merant Dimensions 8
Mercury Interactive – Mercury Change Management
Network Associates – Magic Change Management
Serena Software – ChangeMan

Product Profiles – Portfolio Management

Alinean – ValueIT™
Artemis International – Artemis 7
Business Engine – Business Engine Network (BEN)
Changepoint – Changepoint Version 8
Lawson Software – Enterprise Performance Management Suite
Mercury Interactive – Mercury Portfolio Management
Niku – Niku 6
PlanView – PlanView V7.3.1

Product Profiles – Risk Management

Decisioneering – Crystal Ball

Methodware Ltd. – Enterprise Risk Assessor
Section 7: Case Studies

Introduction

Argos
Bolton Metropolitan Borough Council
Forestry Tasmania
Major International Bank
Steria
University of Strathclyde

Specifications

Publish Date

Published November 2003

Founder and President

Martin Butler

Research Authors

Richard Edwards, Alan Rodger and Michael Thompson

Additional Research by

Susan Clarke

Published by

Butler Direct Limited

Artwork and Layout by

Pynto Limited, www.pynto.com

Page Count

This Report contains 184 Pages

Pricing

UK - 995.00 GBP
Europe - 1,495.00 EUR
Rest of World - 1,495.00 EUR