Professional Documents
Culture Documents
IT Governance affects all these areas, and has an impact on another major emerging
area. Organisations are spending millions of – insert currency of choice – on these three
areas alone, yet one has to seriously question three aspects of this spend. Firstly, who is
involved in the decision-making process, and at what level of responsibility? Secondly,
what checks, controls, and measurement practices are put into place to oversee these
huge implementations, and who oversees these? Finally, who bears the ultimate
responsibility for failure, and is that person the one most heavily involved in the initial
decision-making process?
The Report looks at the various interpretations of IT Governance and puts forward Butler
Group’s specific view on exactly what IT Governance entails both in terms of concept and
in the reality of putting the process in place.
ActiveStrategy
CorVu
Crystal Decisions
Lawson Software
SAS
Alinean
Artemis International
Business Engine
Changepoint
Lawson Software
Mercury Interactive
Niku
PlanView
Decisioneering
Methodware Ltd.
Report Structure
The Report has been structured for ease of use by separating out sections that will be of
relevance to different people within the organisation.
After the Management summary, Section 2 creates a definition for IT Governance and
raises some of the key issues that will be discussed in later sections of the Report.
In this section we look at the positive aspects of IT Governance. How cost savings can be
made and how the use of information will drive organisations to new business models and
create new opportunities.
This section looks at four key areas for IT Governance: Balanced Scorecard, Change
Management, Portfolio Management, and Risk Management. It also introduces a model
methodology that can is abstracted from the implementation of an Enterprise Architecture
and placed within the IT Governance framework.
Section 5 – Regulations
As many of the drivers for IT Governance come from external forces, in this Section we
look at some of those forces, including Sarbanes-Oxley and Basel II, and discuss the
implications of these legislations. We also consider an existing solution for Sarbanes-
Oxley compliance.
Section 6 – Product Profiles
Here we discuss the tools that aid the ongoing process of IT Governance. This is split into
four key areas discussed in Section 4 – Balanced Scorecard, Change Management,
Portfolio Management, and Risk Management.
Management Summary
Before any major undertaking an organisation has to ask four key questions: Why?
What? How? When? IT Governance is a major undertaking, and as such requires the
answers to these four questions – and to state that IT Governance is a major undertaking
is to understate the issue. IT Governance is the largest undertaking that any organisation
will face. Forget ERP and CRM systems; forget integration; forget moving to Web
services. The complexities within all of these will pale into insignificance compared to
undertaking the IT Governance process.
Given these complexities, the obvious response would be to ask the first of the
questions. Why? Explain the benefits! CRM allowed organisations to provide better levels
of customer service, to outface their operations, to globalise their front-office
applications. ERP systems tied together the back-office operations in a similar manner.
Integration, amongst other requirements, tried to tie these front- and back-office
systems together. Finally, Web services is starting to force a reconsideration of the way
that organisations offer their services.
The ‘why?’ question for IT Governance affects all these areas, and has an impact on
another major emerging area. Organisations are spending millions of – insert currency of
choice – on these three areas alone, yet one has to seriously question three aspects of
this spend. Firstly, who is involved in the decision-making process, and at what level of
responsibility? Secondly, what checks, controls, and measurement practices are put into
place to oversee these huge implementations, and who oversees these? Finally, who
bears the ultimate responsibility for failure, and is that person the one most heavily
involved in the initial decision-making process?
The one thing that IT Governance does at the highest level is to raise questions. What it
does after the process is running is to either answer those questions or make them
redundant. That is the true benefit of IT Governance. No longer will decisions be made by
the wrong people for the wrong reasons (wittingly or unwittingly). No longer will
organisations find themselves having to excuse ‘bad’ decisions. Bad decisions will still be
made (no process will ever overcome that), but they will have been made for the ‘right’
reasons. This is not semantic puffery; it is an important factor of corporate decision-
making.
This leads to the other major area, mentioned previously, another ‘why’ for IT
Governance; changing external forces. More specifically, IT Governance is a prime
requirement to ensure compliance with the raft of new legislation that is starting to
appear in the wake of the well-publicised financial mismanagement of high-profile
companies. Prime amongst the plethora of this new legislation is the Sarbanes-Oxley Act.
This Act not only changes the financial reporting requirements of organisations covered
by the Act, it effectively shifts the balance of power within those organisations; creating a
whole new corporate culture and hierarchy.
“As I will bear the penalty for failure, then I must have the final decision.”
A perfectly acceptable and understandable view. However, this control has extended past
the liability=control equation and infiltrated into other areas. Typically, the CIO can make
recommendations that may be over-ruled by the CFO. Given the control that exists within
most organisations, failure is difficult to apportion – the CFO still has control, but the
liability element has all but been removed. Control equates to power, and power is a
heady drug. Hardly surprising that CFOs are unwilling to cede power to another part of
the organisation; to provide autonomy.
The situation as it exists at the moment is that the CIO is allowed to ‘administer’ IT,
whilst the CFO ‘controls’ it. Sarbanes-Oxley throws the historical perspective out of the
window, by introducing another element into the equation. That element is ‘level of
liability’ or ‘penalty for failure’. Given the furore that accompanied the light (or non-
existent) penalties for corporate malfeasance demonstrated against certain individuals
recently involved in financial collapses of large corporations, it is hardly surprising that
the Securities Exchange Commission (SEC) have publicly declared an intent to provide
greater protection to stakeholders in public companies. Although the initial move is
towards tightening up controls, there is little doubt that failure to comply will be met with
stronger action than has been the case in the past. There is a whole new ball-game in
town, and it is Sarbanes-Oxley. We can even detail the one specific Section that will force
the shift of power; Section 409, which states:
Each issuer reporting under section 13(a) or 15(d) [of the Securities Exchange Act of
1934] shall disclose to the public on a rapid and current basis such additional information
concerning material changes in the financial condition or operations of the issuer, in plain
English, which may include trend and qualitative information and graphic presentations,
as the Commission determines, by rule, is necessary or useful for the protection of
investors and in the public interest.
Reading that must make any CFO’s blood run icy cold. It is almost impossible to pick out
one single key word or phrase in this innocuously short paragraph, but if one were to
make the attempt, then one would most likely choose ‘operations’. The operational
aspect of an organisation is held within the IT systems, and the person best placed to
understand what IT systems are required for compliance with Sarbanes-Oxley is the CIO.
If that person should require new systems for compliance he/she is unlikely to be over-
ruled by the CFO, because by so doing the CFO would have removed any defence of
‘reasonable care’. If it could be demonstrated that the CFO of an organisation had vetoed
the implementation of systems for Sarbanes-Oxley compliance, then it could be
demonstrated de jure that he/she was in breach of the Act.
So we are reaching a situation where, for the first time and due to the same external
legislative forces that gave the CFO the over-riding controlling voice, the CIO will have
control. For these reasons, we at Butler Group have coined the phrase: IT is the new
accounts.
Although the external pressures that will force this change in the corporate socio-political
ecosystem may appear negative – talking of blame, culpability, and penalties – the
benefits of this enforced shift are in fact positive. The one simple reason for this is that
control or governance is always best held by the person closest to the problems and
issues and best qualified to deal with those problems and issues. IT Governance is
putting control where it belongs; in the hands of the CIO.
Although here are other reasons for the ‘why?’ of IT Governance, if there is one single
defining reason that cannot be overcome then that should suffice. However in Section 3
of this Report we detail some of the benefits that come with IT Governance; considering
the more positive aspects. Not least of these is the better understanding and
management of the informational assets contained within an organisation.
As budgetary constraints are high on everyone’s agendas, it is worth considering the fact
that the cost of managing these informational assets and utilising them throughout the
enterprise typically run at 30% of the indirect cost-base of an organisation. IT
Governance allows better use to be made of the available resource, which will drive down
these costs and increase their usage.
To move on from the ‘why?” element of IT Governance and consider the ‘what?’ aspect,
we can look at the most oft-used description of IT Governance, which runs along the
lines of: IT Governance is the aligning of corporate and IT strategy.
As a single line explanation goes, one could say that it serves its purpose, but it really
falls far short of a true explanation. The problem is with the verb tense. IT Governance,
when properly initiated as an ongoing process, might have an end result of creating an
alignment of IT and corporate strategy, but it does not per se do the aligning in the
active sense. Nor, to continue this theme, should it have that as a primary purpose.
Although these figures are generalisations, and will vary from organisation to
organisation, they are fair reflection of a median. Given this, it is unarguable that this
level of cost responsibility can be undertaken without the total ability to manage the
department in an autonomous manner. Autonomy does not indicate separateness from
the rest of the organisation; it simply means the right to govern with respect to local or
internal affairs. There is nothing inherently different about the IT department than
Finance, or Sales and Marketing. Each department within an organisation governs its own
affairs with regard to the affairs of the whole organisation.
The truth of the matter is that any department will only be aligned with the organisation
in its aims, aspirations, and implementations if it has local governance. If control is
passed to the wrong people, then alignment becomes that much more difficult – if not
impossible. If control is placed within the right hands, we can add a third responsibility to
the two cost-based ones previously highlighted. This third responsibility is:
· Responsibility for value creation and strategic direction in conjunction with other
departments that have autonomous management.
The model thus created is local management for centralised governance. This is not a
new model; it is the way all organisations work. The fact that we are discussing this
problem at all has historical roots. Each and every department within an organisation
that is currently seen as an element of the governance of the organisation has undergone
the same process of acceptance of importance to the whole entity. It is simply that IT is
the newest of these.
At this point one has to resist the temptation to talk about IT as the most important
element within an organisation. Although it is a fact that IT underpins the way that
business is transacted in a global economy, it is no more or less important than the other
elements. To think differently is to fall into the trap that has created the disjoin between
IT and the body corporate, which IT Governance is seeking to redress.
In truth, defining IT Governance is no facile task. Not only does it mean different things
to different people, the levels and methods of instantiating the IT Governance process
are many and varied; as can be seen from the Case Studies included in Section 7 of this
Report. The people and organisations who have allowed Butler Group to write about their
views and methods are to be commended. They have demonstrated a willingness to
expose their beliefs to a wide audience. Even though their views and methods may be, of
necessity, specific to their particular organisations, there is much to be learnt from
understanding their experiences. If the ‘what?’ of IT Governance is difficult, the ‘how?’ is
doubly so. What is clear however, is the requirement for two main elements. Firstly, a
strategic methodology to ensure that IT Governance does not turn into IT segregation.
Placing control into the proper hands is not a process that should be undertaken without
the involvement of everyone. This is especially true of IT, as the expectation for the
possibilities raised by technologies differ according to which stakeholder group one
belongs.
Any individual or third-party organisation that has an interest in, or an expectation of,
the performance of an organisation with which they have contact.
Employees.
Trading partners.
Shareholders.
Customers or clients.
Governmental agencies.
Each of these individual groups has distinct expectations as to the use of information,
and the value of IT in general. These differing expectations can be conflictive. IT
Governance can not only help resolve some of these conflicts, but can also give proper
weight to the fulfilment of each expectation.
In Section 3 of this Report we take a closer look at the expectations of the various
stakeholders; their points of synergy and their points of conflict as they relate to the
value of information within an organisation. For obvious reasons (the 30% cost base is
one) we have chosen the value of information as a prime area on which to concentrate.
The other reason for concentrating on this area is that it is becoming apparent that the
vast majority of stakeholders are seeing information as a major differentiator between
organisations.
Although IT Governance is a process, and not an out-of-the-box solution, there are tools
that one can associate with it. Many of these are concerned with leveraging the benefits
of IT and answering the strategic requirement of corporate and IT alignment. In general
terms, the available tools and solutions can be used to create greater transparency
between IT and the rest of the organisation.
Again, with cost and making best use of available resource, such vital elements in all
areas of corporate planning, the use of Portfolio Management tools will be of especial
interest. These can be utilised with Risk Management tools to better understand the risk
elements within strategic planning and during implementation and execution cycles.
Visibility of success can be handled with the new generation of Balanced Scorecards, and
the change process is easier to control with the use of Change Management tools. Fuller
details on the use of these and their role within the IT Governance space is discussed in
more depth in Section 4 of this Report. There are also a number of detailed product
instances provided in Section 6.
In our journey through the four questions of IT Governance, we are left with but one; the
‘when?’ In fact, this has already been answered with the discussion on external forces.
These forces are coming into play now, and although they may not have legal standing
with every organisation, all the indications are that they are having a knock-on effect.
We will return to Sarbanes-Oxley as an example.
Therefore the ‘when?’ question is the easiest to answer, and that answer is ‘now’. IT
Governance, as a process has so much to offer that ignoring it for any length of time can
have nothing but a detrimental effect upon organisations. The methodologies inherent
within putting the process in place will create a much tighter organisational infrastructure
allied to a more responsive and agile organisational response mechanism. It provides
visibility of cost and resource handling both intra- and inter-organisationally, which
provides the confidence all stakeholders require to continue with onward investment.
Contents
Section 5: Regulations
5.1 Sarbanes-Oxley
5.2 Data Protection
5.3 Money Laundering
5.4 Basel II
Alinean – ValueIT™
Artemis International – Artemis 7
Business Engine – Business Engine Network (BEN)
Changepoint – Changepoint Version 8
Lawson Software – Enterprise Performance Management Suite
Mercury Interactive – Mercury Portfolio Management
Niku – Niku 6
PlanView – PlanView V7.3.1
Introduction
Argos
Bolton Metropolitan Borough Council
Forestry Tasmania
Major International Bank
Steria
University of Strathclyde
Specifications
Publish Date
Martin Butler
Research Authors
Additional Research by
Susan Clarke
Published by
Page Count
Pricing
UK - 995.00 GBP
Europe - 1,495.00 EUR
Rest of World - 1,495.00 EUR