Professional Documents
Culture Documents
PROFESSIONAL
INSIGHTS
IT GOVERNANCE
MANAGING INFORMATION
TECHNOLOGY FOR BUSINESS
David Norfolk
IFC
THOROGOOD
PROFESSIONAL
INSIGHTS
IT GOVERNANCE
MANAGING INFORMATION
TECHNOLOGY FOR BUSINESS
David Norfolk
Published in 2005
MANAGEMENT OVERVIEW:
DRIVERS FOR IT GOVERNANCE V
Management issues in IT governance......................................................vi
Definition of IT governance.......................................................................vi
3 ORGANIZATIONAL IMPACT 23
Culture ........................................................................................................24
Organizational maturity ............................................................................26
Roles and responsibilities .........................................................................30
Practical experience of governance ........................................................32
4 THE IMPACT ON IT 35
IT service management .............................................................................37
Lifecycle systems development process..................................................43
Management reporting: Telling a true story ..........................................49
Practical IT governance tools ...................................................................51
6 CONCLUSIONS 68
APPENDIX 72
Resources....................................................................................................73
Corporate scandals such as Enron and perceived issues such as storage of illegal
pornography on company servers, money laundering and terrorism have led to
a change in the way law is applied to ‘limited companies’. Increasingly, the buck
stops with the directors (including non-executive directors) of a company – who
are held personally responsible for the actions of their companies and, in some
cases, face huge fines and possible imprisonment. There is no doubt that this
has increased Board-level interest in IT governance, as corporate fraud, use of
corporate resources for illegal purposes, sexual and racial harassment increas-
ingly occur in the digital domain. The latest legislation means that a director who
turns a blind eye towards what is going on in his or her computers and to what
may be stored on company servers will probably find that ‘ignorance is no excuse’.
If you are not in control of your IT resource, you are not in control of your company.
In the same way that your annual report is audited to ensure that it tells a ‘true
story’ about your financial position, your computer systems must be audited to
show that they tell a ‘true story’ in the management reports they provide, in the
databases they update and in the reports they send to your regulators.
When the directors of such companies accept responsibility for what their organ-
ization does and how it does it, how can they do so with any confidence at all?
Such a state of affairs cannot be allowed to continue.
Definition of IT governance
IT Governance is that part of corporate governance in general which ensures
that automated systems contribute effectively to the business goals of an organ-
ization; that IT-related risk is adequately identified and managed (mitigated,
transferred or accepted); and that automated information systems (including
financial reporting and audit systems) provide a ‘true picture’ of the operation
of the business.
References
References in square brackets, e.g. [8th DirCons, web], refer to entries in the
Resources appendix, at the end of this Report.
Chapter 1
Context: Corporate governance
Chapter 1
Context: Corporate governance
According to George Cox when he was Director General of the Institute of Direc-
tors, in the Introduction to the director’s guide to ‘corporate governance’ [IOD,
2004], “Modern capitalism – the model to which virtually the whole world now
aspires – is totally dependent on high standards of governance”.
In the UK, the law is defined by statute; statutory instruments, which implement
Acts of Parliament and can materially affect the impact of a statute; and is further
developed in the courts by precedent – so determining exactly what the law says
is not always straightforward and taking expert advice is often a good idea. We
then follow a ‘comply or explain’ approach to governance. What this means is
that, for example, companies with a full London Stock Exchange listing have
to state that they comply with, for instance, the Combined Code (the consoli-
dated governance rules promulgated in June 1998) but can report exceptions
in certain areas, where they must explain the reasons for their departure from
the rules.
The Combined Code places great emphasis on the need to manage risk, which
is largely what the financial reports made available to the various stakeholders
are used for. As Peyman Mestchian, (Director, risk management practice, SAS
UK) puts it “the sensible company takes risks – but not gambles”. You must take
a holistic and objective view of risk – there is more to worry about than just finan-
cial risk. Reputation risk, for example, is frequently overlooked – until loss of
reputation starts to affect the financial bottom-line, when it is often too late to
mitigate it (a reputation that took years to build can be lost in months). The Turnbull
Report guidelines to governance for companies quoted on the UK stock
exchange talk about the risk associated with market, credit, liquidity, techno-
logical, legal, health and safety, environmental, reputation and business probity
issues, as well as financial risk. However, some risk is good – you can’t avoid
risk without forgoing the business opportunities associated with new kinds of
customers, new technologies and new products. In fact, risk avoidance is in itself
risky as it limits your opportunities for profit, and doing nothing is frequently
the worst possible response to an emerging issue. What is important is that
commensurate rewards are associated with the risks that you take, which implies
that you have access to reliable information that lets you forecast the rewards
and assess the risks with confidence.
You could say that the prime objective of IT governance is to help rather than
hinder the Board in its governance efforts, as part of a dynamic partnership
between business and technology. (Technologists enable business; business
rewards technologists.) In many organizations, the IT function is seen as a bit
of a loose cannon, subject to different standards, responsibilities and controls
to the rest of the organization; and, in the long term, this isn’t going to be good
for the careers of those employed by the IT function.
Regulations in the USA, say, are generally more draconian these days – although
even Sarbanes-Oxley seems to be less prescriptive and more in the European
style than previous US regulations. This is actually an improvement, as it is harder
to merely comply with the ‘letter of the law’ if you can be assessed both on what
you consider to be appropriate internal controls and also on the effectiveness
of your implementation of these controls.
International corporate governance rules are also changing, but rules world-
wide seem to be generally moving in the same direction. Eventually, it is hoped
that the mission statement of the International Accounting Standards Board
(IASB) will come to fruition and we will have ‘a single set of high quality, under-
standable and enforceable global accounting standards that require transparent
and comparable information in general purpose financial statements’.
The Board needs to recognize the risk factors affecting IT projects: very large
projects, visible projects, projects crossing geographical or departmental
boundaries, projects using new technology projects particularly dear to the
Board’s heart are all particularly risky.
What technology can’t do, of course, is to inculcate common sense in the Board
or counteract complacency or greed. Increasingly, a technical failure that is
allowed to affect the operation or reputation of a company is being seen as a
failure of corporate governance – as, of course, it is.
The next chapter looks at the legal framework underlying governance gener-
ally in the context of IT governance specifically.
Chapter 2
External pressures:
What regulations?
The response to apparent governance failures ..................................9
In fact, IT governance should be seen as a way in which the Board can ensure
that IT resources are deployed and managed cost-effectively, in the pursuit of
business strategy. The ultimate aim of IT governance is better, faster, cheaper
business.
Nevertheless, one aspect of this is the transparency that ensures that all the stake-
holders in a business can satisfy themselves that the business is being carried
out honestly and ethically, in the interests of the business (and community) as
a whole, instead of the dysfunctional interests of particular parties. In the extreme,
IT Governance is about mitigating the risk of internal IT-assisted fraud,
probably a far greater potential disaster to a company than the high profile risk
of external hacking. The positive benefit from this transparency is that you can
demonstrate the probity and reliability of your company to third parties: business
partnerships will be easier to arrange (thus enabling greater automation of inter-
business processes or ‘straight through processing’) and that raising investment
capital (from shareholders) should be easier.
Bank of Crooks and Conmen International). It became apparent that many people
held more non-executive directorships than they could manage if they were really
overseeing the governance of the companies they held them with, and were
treating them simply as a rewarding perk; and then Enron threatened to make
the idea of corporate governance a joke.
Fortunately, most new legislation is no longer purely prescriptive (that is, it doesn’t
just specify a list of more-or-less arbitrary rules) but attempts to engender ‘good
practice’ and foster ‘organizational maturity’. A company that satisfies the spirit
of Sarbanes-Oxley, for example, will be a better-managed company, able to
measure the effectiveness with which it aligns IT objectives to business objec-
tives, able to demonstrate the effectiveness and honesty of its financial reporting
– and able to operate more cost-effectively as a result.
Even so, there is a lot of new legislation surrounding financial reporting and
internal control generally, which the IT group must be aware of. It is always
going to be more effective in the context of an evolving business and rapidly
changing technology if IT governance is built into automated systems from the
start. This means adopting a lifecycle development and maintenance process,
which treats regulatory requirements as equal in importance to the other business
requirements and implies that automated systems are tested against scenarios
derived from applicable legislation. In general, the IT group can expect business
stakeholders in an automated system to tell it what the regulatory requirements
are, but the IT analysts must question what they are told and ensure that automated
systems can satisfy ‘non functional’ requirements for effective audit trails, access
controls and systems resilience, which originate in governance-promoting legis-
lation. In turn, this means that they must be aware of what legislation exists and
what sort of controls it mandates, at least so they can have sensible conversa-
tions with business managers as to what is needed.
COSO describes an internal control process, run by the Board with the co-opera-
tion of an organization’s management, which addresses the need for:
The Combined Code is now under the auspices of the Financial Reporting Council
(FRC) and further changes can be expected as and when needed to ensure that
it remains relevant in the face of changing business conditions and technologies.
The new Act comes into effect in stages, but the sections affecting IT Gover-
nance came into effect in April 2005. This didn’t give companies long to prepare.
The new Act defines the obligations and powers of company auditors in more
detail than before and probably means that pulling the wool over the eyes of
the auditors will become harder. The auditors have strong rights of access to
all the company’s books and can require people to answer almost any questions
that they think are important to their audit – even people that are no longer
employed by the company – and can require the company to obtain informa-
tion from overseas subsidiaries.
This section of the Act has serious implications for IT governance, always remem-
bering that the detailed impact will depend on the attitude of the courts in
interpreting it. It implies that any information likely to be required by an auditor
should be easy to extract from automated systems, and that its provenance and
reliability can be demonstrated. Since it cannot be determined in advance precisely
what will be required or what criticism will be made of the quality of any infor-
mation supplied, this has serious implications for the technical design of IT
systems. If you don’t have an authoritative audit trail for a piece of information
before the auditors ask for it, it may be very hard to implement one ‘after the
fact’ – if all and sundry could access the information and change it proving its
authenticity may be impossible or, at the very least, may involve very expen-
sive and time-consuming analysis of systems logs.
What this also means is that company management, and its directors in partic-
ular, will have to think in advance about the sort of information the auditors
might need and ensure that systems are designed to provide it (or can be easily
modified to provide it) as and when required. This policy then forms a ‘non
functional requirement’ for systems development in general – which developers
must be made aware of. Similarly, the provision of robust audit trails for finan-
cial information becomes a general non-functional requirement.
Further, the only practical way you can be sure that your policies concerning
the provision of audited financial information have actually been adopted in the
automated systems that you use, is to implement recognized ‘industry best
practice’ processes for the development of automated systems and the opera-
tional management of the infrastructure that they run on – such as the Dynamic
Systems Development Method [DSDM, web] and the IT Infrastructure Library
[ITIL®, web] procedures. Beyond even this, a company might find that process
improvement (the ability to say what you are going to do, measure what you
actually do and apply changes to the process that reduce any gap between aspira-
tion and achievement) helps it address regulatory criticisms in a cost-effective
way and cope with changing circumstances. One recognized process improve-
ment regime for IT organizations is CMMI (Capability Maturity Model
Integration) from the Software Engineering Institute [CMMI, Web].
Under the new Act, the company report must contain a statement from each
of the company directors at the relevant time, to the effect that there is no relevant
audit information of which the auditors are unaware (as far as the director knows),
and that he or she has taken all appropriate steps to make him or herself aware
of such information and to bring it to the attention of the auditors. This is very
similar to the requirements of American SOX legislation.
This implies traceability from policy through to execution, rather than any expec-
tation that the director should check any code for him/herself. However, if the
director is also Chief Technical Officer and a skilled programmer, say, he or she
might be expected to have some responsibility for poor IT systems QA – resulting
The Act appears to make life easier for directors in one aspect, by relaxing current
prohibitions on companies from indemnifying Directors against their liabilities
to third parties; it also allows companies to pay director’s defence costs if they
are taken to court. Nevertheless, such indemnification is largely illusory (and
very tightly controlled), because it is made in the form of a loan, which is immedi-
ately repayable if a director is convicted of a criminal offence or fined by regulatory
bodies. Such indemnification is also open to shareholder inspection.
Other parts of the new Act deal with the supervision of accounts and handling
of defective accounts; and identify the bodies responsible for accounting
standards. The powers of the Financial Reporting Review Panel are increased
so that it will now be able to look at interim as well as annual accounts and reports
and will be able to compel companies it is investigating to supply necessary infor-
mation. In some circumstances, the Panel can also obtain information from the
Inland Revenue if this is needed to prove an account defective.
Overall, it appears that the net result of the Companies (Audit, Investigations
and Community Enterprise) Act, 2004 will be that those directors that have heard
of it will begin to take a more active interest in whether their IT reporting systems
present a true and complete picture of what is going on in company financial
systems – and one that can be defended to third parties. IT Governance is likely
to be on the Board agenda as part of corporate governance – and all concerned
should be aware of this new Act.
The essence of SOX compliance seems to be that you build a rod for your own
back. You must develop a defensible approach to internal control for your business
(and this can be criticized), and then you devise a defensible approach to internal
control for your systems and then you must demonstrate that you are adhering
to your own rules. In other words, it’s not simply a case of adhering to the rules,
there’s an effectiveness measure too (and this is more along the lines of European
regulatory practice).
The impact on IT is that it must facilitate this process, by building into its systems
and processes facilities that provide the information needed by SOX, the audit
trails needed to assure the integrity of this information, and so on. The IT Group
must also be aware of ‘Silver Bullet’ solutions: cosmetic ‘quick fixes’ for compli-
ance, that are a constant maintenance overhead when the business changes
[Faegre, web].
The two sections with most impact on IT are 302 and 404(a), which deal with
the internal controls that should be in place to ensure the integrity of a company’s
financial reporting and this will impact directly on the software that controls,
transmits and calculates the data used to build the company’s financial reports.
Since August 29, 2002, Section 302 has made CEOs and CFOs commit to the
accuracy of their company’s quarterly and annual reports. They must state:
3. That to the best of their knowledge, the financial statements and other
financial information in the report fairly present, in all material
aspects, the company’s financial position, results of operations and cash
flows.
There are serious civil and criminal penalties for making untrue statements in
the areas above, so C-level executives are placing considerable trust in the integrity
of their IT systems and the people developing and supporting them. Which means
that they will start taking an interest in the IT process and that this will likely
become seen as an area C-level executives worldwide should be interested in
– even if SOX isn’t involved.
SECTION 404(A)
If Section 302 might have onerous implications for executives, Section 404 sets
out the rules in detail (and you should check the Securities Exchange Commis-
sion (SEC) website [SECSOX, web] for the latest details and implementation dates).
In September 2003 the SEC said, “We recognize that our definition of the term
‘internal control over financial reporting’ reflected in the final rules encompasses
the subset of internal controls addressed in the COSO Report that pertains to
financial reporting objectives”.
The SEC expects to see an Internal Control report in a company’s annual report
that:
• states that the company auditor has checked out the management’s
assessment of its internal controls.
Not surprisingly, perhaps, in view of its general findings, the Netegrity Security
and Compliance Report [op. cit.] found that about a third of those that thought
SOX was important (only 15% of the total, remember) weren’t spending any
money on technology to facilitate compliance with Section 404; and a further
third were spending less than £50,000. In the light of this, it will also be no surprise
that almost 90% of them either weren’t sure that they’d manage to get their
internal controls accredited against SOX, or thought it not likely. Leaving aside
the question of penalties, is it possible that prospective partners in, investors
in, or purchasers of a business, might think a business that couldn’t satisfy SOX
Section 404 represented an increased risk over investing in, say, a more compliant
organization? One would certainly think so.
James S Turley, Chairman and CEO, Ernst and Young [Turley, Web] sees this
as a welcome step towards global corporate governance standards. It certainly
underlines the global nature of commerce today and hence the need for global
regulation.
Basel II will have a significant impact on banking processes and the IT systems
that implement and support them – largely in the area of credit risk profiling
and monitoring. The UK FSA issued a consultative paper ‘Strengthening capital
standards’ in January 2005 (consultation closed at the end of April 2005), putting
forward the options for implementing CRD in the UK.
would be very hard to enforce, but inappropriate legislation that is only errat-
ically or arbitrarily enforced is hardly a sound basis for electronic or
computer-supported commerce.
• Data Protection regulations; for example, the Data Protection Act (UK)
[DPA, web] and legislation throughout Europe enforcing the EU Data
Protection Directive. Not only must you protect personal information,
which you can only collect and use for specified purposes, you must
destroy it securely when it is no longer needed and provide facilities
for the subjects of personal data to access and correct it.
• The Health and Safety at Work Act in the UK [HAS, web]. This applies
to workers in IT just as much as anywhere else. It isn’t perhaps an IT
governance issue, exactly, but it is important to remember that IT
workers are not exempt from Health and Safety issues – and some of
these (the impact of computer monitors on eyesight and Repetitive
Strain Injury (RSI) from keyboard use, for example) are particularly
related to computer use.
• The Disability Act, 1995 [Disability, web]. Again, like Health and Safety,
IT organizations are not exempt. In particularly, web sites must be
designed to facilitate access by the differently abled. The key standard
in this area is probably the Web Content Accessibility Guidelines 1.0
(1999; work continues on these and a Working Draft 2.0 was produced
in 2003), created by the Web Accessibility Initiative of the W3C [WCAG,
web].
Chapter 3
Organizational impact
Culture ..................................................................................................24
Organizational maturity......................................................................26
Culture
Good IT governance doesn’t exist in a vacuum. However experienced your IT
staff are, and however good the practices they follow, you don’t have good IT
governance unless these practices are institutionalized as part of a formal process
that is regularly assessed and updated in the light of changes to the business
or technology.
If you just ‘do it right, because that’s how we do things’, even if you are successful,
how will you convince the auditors or regulators that you weren’t successful
purely through luck and that you will continue to do things right? Well, you’ll
have to conduct a review for them (or give them access to conduct their own
review) that lets them discover all your critical processes and determine that
they are properly controlled. This will be expensive, especially if you delegate
it to an external party – and you’ll have to do it all over again if the business,
the technology or even the interested party changes. This is not an efficient use
of resources and you can hardly claim to have implemented good governance
if it is based on such an ad-hoc set of processes. Especially if you also consider
the fact that time and resource pressures applied to a process that, essentially,
repeats the same redundant evaluations repeatedly, will result in omissions and
superficial assessments.
However, you can imagine a company that employs the best (or most expen-
sive) people taking the view that “what kept programmers from reaching their
full potentials were managers who tried to impose standards, expectations or
restrictions” (quoting from Larry Constantine’s description of the state of affairs
at the fictional Nanomush, in ‘Constantine on Peopleware’ [Constantine, 1995]).
Such companies are fairly common in the software industry and they usually
enforce any regulatory rules with draconian disciplinary procedures, once they
have been bought to their attention. So, if you’re caught using someone else’s
intellectual property in your IT systems, unlicensed, or you find fraudsters using
a back door into your systems put there so that programmers could fix bugs
faster, do you simply sack the person responsible for that bit of the system (if
they are still working for you) and hope that the issue goes away? Of course, it
doesn’t – the lawyers carry on seeking damages or whatever; you’ve lost the
free spirits who built your code without wasting time on documenting what they
did and the rest of your staff think you’re victimizing the unfortunate sacked
programmers, who were only doing what their culture expected anyway.
In this situation, you then start worrying about what other surprises await you,
because if leaving programmers free to do their own thing has given you one
problem, you have no means of assuring yourself that others haven’t taken similar
risks. Typically, after one bad experience, you start mandating compliance with
some source of ‘best practice’, telling your programmers ‘to get it right or else’
which, since you are trying to change their culture, probably won’t go down
very well (you may lose the best of them and keep the ‘dead wood’ that can’t
easily get a job elsewhere). You’ll find that you can’t just mandate compliance
with anything outside of a military organization – and, in fact, military manage-
ment practices are usually fairly enlightened because even under military discipline
the people at the sharp end can work around your mandates (and also because,
possibly, battlefield soldiers have the ultimate sanction available against bad
managers).
Unless you are the sort of company that sets goals before taking action, that
measures the impact of its actions relative to those goals and then changes what
it is doing to reduce the gap between its aspirations and what it actually achieves,
then attempts to achieve good IT governance are probably doomed to failure.
This culture of measurement and continuous process improvement is largely
what is meant by ‘organizational maturity’ – although in our ageist society, compa-
nies often prefer to aspire to being ‘adaptive’ rather than ‘mature’.
Organizational maturity
As Constantine points out [op. cit.], “Maturity is a central issue for the field of
software development. Methodologists are wondering how long it will take for
software engineering to mature as a discipline, managers are concerned about
the level of ‘process maturity’ in the approaches to development used within
their organizations, and project leaders wonder about the maturity of the individ-
uals whom they are called upon to lead”. But it’s a concern in many more fields
than just software development. Firefighting system failures may be fun and,
in some organizations, you may be rewarded for the loyalty and dedication
firefighting at 03:00 am demonstrates – even if you’re responsible for the problem
you’re fighting (you probably delivered really fast and got rewarded for that
too). However, most business users would prefer you to take a more mature
approach and not put the problem there in the first place (or, at least, observe
its appearance and preemptively nip it in the bud).
This concern for ‘maturity’ is really driven by a desire for a quiet life, without
surprises and embarrassments. Allegedly, the Software Engineering Institute
at Carnegie Mellon started looking at capability and maturity in IT software devel-
opment because someone at a party to celebrate the first moon landing noticed
that we could put a man on the moon but couldn’t build software that worked
reliably. It started to develop a Capability Maturity Model for Software that an
organization could use as a target to assess the maturity of its software delivery
processes against. It then found that there was a need for other process maturity
models and, to avoid the management issues of multiple assessments, came up
with the Capability Maturity Model Integration (or Integrated, in older refer-
ences) – CMMI.
CMMI
We must stress that we are not really discussing formal CMMI process
improvement initiatives here – they’re a whole different topic and deserve a report
in themselves. However, we are using CMMI as a framework within which to
talk about the maturity necessary for good IT governance. It is a convenient way
to categorize the levels of maturity in an IT organization, but we must apolo-
gize to serious CMMI practitioners for taking a rather superficial view of the
subject. You should also remember that although CMMI deals with more than
just software development, it doesn’t cover every aspect of an organization, even
if its levels could provide a convenient shorthand for describing maturity in areas
where CMMI proper doesn’t apply. For those seeking more information, refer
to the CMMI, web address in Resources Appendix.
Level 1 doesn’t mean that you have no process or that projects always fail or
that nothing good happens – a common misconception. However, at Level 1
any successes can’t be guaranteed – they may depend on particular people or
circumstances and a way of working in one project that delivers success may
be abandoned or, at least, not used somewhere else, simply because manage-
ment doesn’t recognize what it has. It is hard to see how you can claim any great
degree of IT Governance at the equivalent of CMMI Level 1.
Going from Level 1 to Level 2 can be quite onerous, because it involves recog-
nizing and documenting what you have – and that often brings you up against
the usual people issues as your IT ‘mavens’ may feel that documenting what they
do and sharing it with others diminishes their value in the organization. At Level
2, you are starting to have a degree of IT Governance – and, remember, that we
are only using the CMMI Levels as a framework for describing maturity levels.
technologies, where things may be changing too fast for a stable process to be
feasible (if you are implementing CMMI properly, we suspect that there is room
for argument here). Whatever, it is probably true that you can’t properly appre-
ciate the benefits, and the consequences or implications, of higher maturity levels
until you are at Level 2 or 3.
At the equivalent of Level 5, you are into continuous process improvement and
the occult powers of warrior-monks in Chinese martial arts movies start to seem
normal. Your metrics become predictive and you start to improve processes in
anticipation of emerging problems. At this level, IT Governance is so innate that
you probably don’t even need to think about it – but there aren’t many true Level
5 organizations in the world and many that have been assessed at CMMI Level
5 have only done so with a limited scope.
The point of this section is not to say that you must gain CMMI Assessment at
Level 3 in order to implement good IT governance but that you must have a certain
level of maturity across the whole organization in order to implement IT gover-
nance effectively. And CMMI Level 3 gives you some idea of the minimum maturity
level you will need in practice. If you implement IT governance at lower maturity
levels you will be lucky if it achieves what you hope it will. You will likely end
up with ‘islands of good governance’ and may find that embarrassing areas aren’t
covered. You will be unable to reliably measure either the effectiveness or the
overheads of your governance initiatives, and you will be unable to manage the
overall alignment of your IT Governance efforts with the requirements of corpo-
rate governance as a whole.
3. IT people are rewarded for delivery, which may conflict with the need
to get governance right.
The IT Group can well supply some of the requirements for IT governance, in
the areas of business continuity and configuration management, for example,
but there is a risk that its view of Governance will only reflect the technical issues.
Being able to restore a working and up-to-date version of a database in the event
of a contingency is very much a part of IT governance – but it is not sufficient,
as if the people using the database can’t log into it, or don’t have desks to sit at
or phones on which to call their customers, then the success of the IT gover-
nance of the database won’t matter much in the context of overall business
continuity.
On the other hand, even though business users are ultimately the stakeholders
and paymasters for IT governance, they don’t have the technical expertise needed
to specify IT governance at the technical level. The business users may well be
the source of the specifications for IT governance embodied in or implied by
the legislatory or regulatory environment, but, again, they are likely to specify
only part of the solution.
It is quite common to think that a conventional Audit Group will look after Gover-
nance but, in reality, it is almost the worst choice of all for this function. Auditors
often specialize (although this is changing) in after-the-fact criticism (which is
too late, impacts on delivery and is expensive to address), don’t generally have
the up-to-date technical knowledge to control technologists and don’t have the
culture to become part of the development team. We once remember noticing
that the information archiving in a bank was rather out of control – everything
was copied to tape, often several times after a series of changes and, while every-
thing was in an archive, these were growing uncontrollably and it was doubtful
whether the bank could answer ad-hoc enquires from archives with any confi-
dence. So we asked the auditors what the archive requirements were – and they
wouldn’t budge from saying ‘archive everything forever’, which was hardly very
helpful. However, the auditors may well be the ultimate backstop, the people who
confirm that you have, in fact, addressed the letter of the laws and regulations.
Nevertheless, it’s really too expensive to find out that you haven’t at this stage.
be criticized after implementation over governance issues the IT Group was hardly
aware of. This is largely a social matter, but an Internal Control Group can hardly
be expected to be respected, or even accepted, by the technologists in the IT
Group unless its members have experience and technical knowledge that the
IT Group respects – and unless the Internal Control Group acts as mentors instead
of policemen or technology superstars.
Whitehand points out that as a service provider to many large, and not so large,
companies across the globe, CSC has to make sure that its relationship to its
clients is good, in order to deliver the service its customers expect. IT gover-
nance is often confused with external control, he says, but it’s an internal thing,
and has to be directed at managing the value delivered as well as the much more
straightforward problem of controlling costs.
”We spend a lot of time, not talking about governance per se but just doing gover-
nance”, he says. “It’s not a big item on our agenda, we just have to get on with
it because any services company has to worry about relationships and value
delivered to the client, and the more we can demonstrate that this is a value and
the more we can get the client to find it with us, the more we can help him – it’s
a mutual benefit.”
Metrics, Whitehand says, are very important, but they’re not the be all and end
all. You need to understand the value of the metrics. CSC is adopting a ‘balanced
scorecard’ approach (which balances hard financial bottom-line metrics against
softer metrics relating to intangible assets such as morale and customer satis-
faction [BalScore, web]. Other participants at the roundtable, Thomas Mendel
What this implies, of course, is that IT Governance based entirely on cost control,
while comparatively easy to formulate and implement, will not deliver gover-
nance of all those aspects of an organization that are required for success today.
And as an aside, in CSC’s world of outsourcing, the contract services are based
in SLAs (‘we will do something for you on this day, or our networks will be up,
or someone will answer the phone in a given timeframe and resolve your problem
on the phone in a given timeframe too’), so performance against SLA may be
an important metric for governance.
the final arbiter of where you’re going, he doesn’t think that business managers
should try to control technologists directly. So he cancelled that governance
meeting, “because it was of non-value to the company – it just turned into ‘lets
stop them spending money and doing stuff’ [although] it was probably a bit
highhanded of me at the time”.
Business managers do not generally know enough about technology (at the
cutting edge, especially) to effectively manage technologists who may know more
about technology and its implications than they do. Similarly, we have seen a
business-focused IT group that thought that it knew more about the business
process than the business itself. It probably did, at the start, but it couldn’t maintain
this knowledge of the business cutting-edge without actually being involved in
the business day-to-day (perhaps this is less true in a user-focused development
environment such as eXtreme Programming).
Finally, Mendel made an illuminating remark to the table generally: “If you ask
IT directors and CIOs about governance you may be asking the wrong people,”
he said, “because from what we can tell all the initiatives around managing the
risk of IT delivery, making your IT processes produce business value, those kind
of things, they’re all not driven by IT, not in the beginning anyway, they’re driven
by the end users, by the Board, so the understanding of what governance means
to IT will come as a second step. We’re in a first phase,” he continues, “where
the business is starting to demand from IT an understanding of what products
we’re producing and how these compare with those from external markets, rather
than just internal service delivery”.
Chapter 4
The impact on IT
IT service management .......................................................................37
IT governance will have an impact on IT – there will be some things that IT staff
want to do that they won’t be able to do after you implement IT governance
and new initiatives that they’ll have to buy into. If implementing IT governance
has no effect on the way you work, one wonders why you’re bothering.
This impact must be managed, as must the fear that IT governance will get in
the way of productivity and increase bureaucracy for its own sake. It may be
worthwhile pointing out that unproductive IT – wasting resources – is itself a
symptom of poor IT governance. You could do this in IT governance workshops,
as part of the introduction of IT Governance. The point to stress is that IT gover-
nance is intended to produce a positive business benefit – although you may
have to invest up front in order to achieve a longer term benefit. It is best to
catalyze the implementation of IT governance with an obvious short-term benefit,
such as the prospect of regulatory fines (or worse) if you don’t get your house
in order.
So, to summarize, the most important effect on the IT Group is that it will have
to become a process-oriented organization with a measurement culture. The
idea is that it will be able to say what it is going to do about IT issues (including
things like compliance, reliable business service delivery and other governance
issues), evaluate its success in doing it and change what it does next in order
to reduce the gap between aspiration and achievement. This is the essence of
good governance.
IT service management
An important practical part of the BMC BSM picture is the Atrium Configura-
tion Management Database (CMDB – an ITIL® term, see below – [Atrium, Web]),
which provides information sharing and centralized management across both
BMC and third party solutions. BMC claims that Atrium provides ‘a single source
of truth for your IT environment’, an important basis for effective, manageable
IT Governance (even if you don’t choose to obtain it with Atrium, it is an issue
you will have to address).
• Identity management.
If you go back and compare these with the list of desirable processes in the
previous section (under CMMI) you see a considerable overlap. You can come
at IT governance top-down, from a process-oriented and process-improvement
angle; or you can come at it bottom up, from best practice infrastructure proce-
dures such as ITIL® (see below). Business Service Management can provide a
good framework for presenting an integrated IT governance policy to both IT
operations staff and even operational staff in the business; whereas the
process-oriented view can appeal to upper management and regulators. In reality,
both views are complementary.
ITIL®
Vendors usually promote Business Service Management but there should be a
standards-based approach underlying it. This is usually ITIL®, the IT Infra-
structure Library [ITIL®, Web], which was developed by the UK CCTA (Central
Computer and Telecommunications Agency) in the late 1980’s and is now owned
by the UK Office of Government Commerce (the OGC – ITIL® is both a Regis-
tered and Community trade mark of the OGC) and adopted worldwide.
The ITIL® documentation has been revised during 2000 to ensure that it is consis-
tent with, and forms part of a logical structure with, the BSI Management
Overview (PD0005) from the British Standards Institute (BSI), BS15000-1
(Specification for service management) and BS15000-2 (Code of practice for
service management). The British Standards Institution’s Standard for IT
Service Management (BS15000) supports ITIL® and, unlike ITIL® itself, is a
standard that you can certify against.
ITIL® is a library of books describing ‘best practice’ taken from both the public
and private sectors internationally, together with a qualifications scheme, accred-
ited training, and tools to assist with implementation and assessment. It
certainly isn’t limited to UK practice or to public services organizations, despite
its ‘ownership’ by an office of the UK government it is, in fact, a general frame-
work for IT governance, suitable for small, medium or large organizations, which
must be customized to the needs of any particular organization. A whole philos-
ophy of infrastructure management has grown up around ITIL® and the
environment needed to support it.
A comprehensive ITIL® FAQ is available on the Web [ITIL® FAQ, Web] but organ-
izations planning to implement IT Service Management might also want to read
‘Planning to Implement Service Management’, which explains the steps involved
in implementing or improving IT service provision [PlanISM, 2002]. There is also
To use ITIL® you really need to buy the library; we can’t cover it all here. However,
we will provide an overview of its structure and scope, although this is not a
definative guide to ITIL®, which is well-documented by the OGC.
ITIL® divides Service Management into Service Support and Service Delivery.
Service support consists of six functional areas:
1. Configuration Management;
2. Change Management;
3. Release Management;
4. Incident Management;
6. Service Desk
2. Capacity Management;
This provides a foundation for other processes such as Incident, Problem, Change
and Release Management. It maintains a logical model of the IT infrastructure,
stored in a CMDB (Configuration Management Database) and built from ‘config-
uration items’ (CIs). It identifies, controls, manages and verifies the version of
each configuration item. Configuration management involves planning (in detail
for 3-6 months ahead and in outline for 12 months past that); identification of
CIs (ownership, and unique id, for example); control of CIs under change manage-
ment review; status accounting and tracking; verification and audit of CIs.
This controls changes to CIs in the production environment and has to balance
the need for systems improvement (driven by changing business or the
discovery of defects) against the potential risk associated with making changes.
ITIL® appears to limit Change Management to the live environment, relying on
project change processes to manage change within ongoing projects. Change
Management typically deals with raising and documenting a change request,
assessing its impact, cost, benefit and associated risk, obtaining and documenting
change approval, managing the implementation of change, reviewing the change
and closing off the request.
This is the holistic management of both the technical and the non-technical aspects
of major or critical changes. It plans and oversees the successful rollout of new
and changed software and associated hardware and documentation across a
distributed environment. Release management includes, but is rather more than,
software control and distribution.
This is about detecting and recording incidents (events impacting service levels),
classifying them, diagnosing the root cause of the incident and resolving it, with
the aim of restoring normal service as soon as possible, with minimum disrup-
tion to the business.
This is the central point of contact with the IT Service Organization for users
experiencing problems. A good Service Desk can have a disproportionate effect
on customer satisfaction. A good target is to close most service requests at first
point of contact with the Service Desk. Service Desk is preferable to the older
term ‘help desk’, as it reflects the wider scope of a service desk facility. The Service
Desk can be expected, these days, to be proactive, suggesting ways in which
problems can be addressed before they appear.
The aim of this is to document and agree service level agreements (SLAs) between
the providers and consumers of IT services, and improve service levels over time,
as the business changes. It is usually important that SLAs are business-oriented,
as the availability of one component is of no interest if the service it helps support
isn’t available to the business.
The aim of this is to ensure that capacity (disk space, computer power etc)
increases or decreases in line with anticipated business volumes and perform-
ance needs. There should be a capacity plan, which is agreed with management
and assigned a budget, so that it can be implemented to ensure that (in partic-
ular) lack of capacity doesn’t impact the business. There are three main areas
of Capacity Management:
This is a vital part of IT Service Management and is really just the good finan-
cial governance of the IT infrastructure – management and reduction of costs,
calculation of cost of ownership and return on investment, effective utilization
of resources, management of internal and external contracts – and, of course
provision of financial reporting information to management. You would expect
an IT organization to be able to account for the money it spends and to allocate
this spend to the provision of defined services. Most organizations will also want
to recover these costs from the users of these services, and possibly to influ-
ence customer behaviour, by means of some form of chargeback.
This concerns itself with ensuring that IT resources are available as and when
needed by the business to satisfy its objectives. It is usually a balance of cost
and demand, tempered by business criticality – redundancy, for example, helps
to ensure availability but increases the cost of the infrastructure, with redun-
dant components lying idle (unless you exploit some form of grid or on-demand
ITIL® is not a fixed standard but is evolving in response to feedback from its
stakeholders. It was last updated in 1997, and the process of implementing a
new update started at the end of 2004; the project reported in April 2005. This
next version of ITIL® will preserve the key concepts of Service Support and Service
Delivery. However, the consistency of its underlying structure and navigation
will be improved and ITIL® will also be extended to increase its coverage of service
management and of the cultural and organisational aspects of managing ITIL®
best practice in a modern multi-sourced environment. It will also take on a ‘knowl-
edge management’ aspect, with case studies, subject matter expert white papers,
implementation packages, business cases etc, complementing the core content;
and additional material to support the ‘value proposition’ associated with ITIL®.
This may involve the addition of new books and topics to the ITIL® library and
the removal of some books and topics; and may well change the qualification
scheme. However, it will be an evolution of ITIL®, not a complete rewrite - the
core volumes should be republished during 2007.
After all, most systems spend far longer, and consume more resources while
‘in maintenance’ than they do during development.
1. The team must ensure that the project’s aim helps the organization
forward.
What this means in practical terms is that the development and maintenance
of automated systems must be firmly based on the analysis and prioritization
of business requirements (including regulatory requirements). It must be possible
to trace through from business requirement to code and vice versa. Code should
contribute to an identifiable business objective (even if indirectly, as some code
is there for technical reasons) and if it doesn’t it shouldn’t be there; defects and
failures should be categorized/reported in terms of the business services they
impact.
of the system will be the norm (even eXtreme Programming) and, of course,
testing will be key to building the final system.
There are many standard development processes, so writing your own from
scratch (which is how many of the currently available ones started) is no longer
particularly useful. Most of them are supported by vendors; IBM/Rational RUP
(Rational Unified Process) is a notable, and respected, example. The issue with
a vendor-supported process is that it may focus on areas where the vendor has
tools to sell; and it may not abstract its physical implementation from its logical
model sufficiently. Ideally, a process should be implemented as a meta-process,
used to instantiate a specific process for a particular activity (although the avail-
ability of ‘pattern’ instantiations for typical business situations would make sense).
DSDM
The Dynamic Systems Development Method [DSDM, web] is an accepted method-
ology for Rapid Application Development (RAD), originally developed by a
consortium sponsored by IBM. DSDM is designed to be flexible – Agile – and
relies on iterative development, using prototypes, within a non-prescriptive frame-
work. It really consists of a non-prescriptive collection of ‘best practices’.
The framework within which iteration fits talks about five lifecycle phases:
4. System Design and Build Iteration: this phase refines the functional
prototype using feedback from the business to drive the production
of new prototypes. After sufficient iterations, this phase delivers a
working system, which addresses all the agreed stakeholder
requirements.
5. Implementation: this phase moves the tested system into the user’s
production environment and will include any user training required.
even after it has become recognized that the requirement has been
overtaken by events or was simply plain wrong.
eXtreme programming
IT developers, in particular, are often frightened of process (and, indeed, gover-
nance) because of a fear that it will restrict their creativity and put a pile of
paperwork in the way of their productivity. In fact, this fear is usually unfounded
– building on an accepted process frees developers to be more creative, to do
more – and much of the required documentation can be machine-generated (a
computer-maintained UML model of a system is better documentation than a
folder-full of paper).
In marked contrast with the expectations of people who don’t know XP, it can
be very compatible with good IT governance, and even process improvement
approaches such as CMMI. The user involvement ensures that the IT project is
aligned with the business; the emphasis on tests for each and every ‘require-
ment’, and constant repetition of the tests as the build changes, promotes quality;
incremental delivery ensures that projects don’t run out of control. However,
XP requires an extremely disciplined development team – at least as disciplined
as for normal development, possibly more so – and some people adopt ‘XP-But’
(as in ‘we do XP but we don’t bother with all that awful testing...’) which won’t
deliver the same results.
If your programmers think like this, then XP delivers good development gover-
nance. If they don’t, well, that is a management issue.
if you know that you can prove it hasn’t been tampered with and that you can
read it – if you had a nine track tape of IMS transactions from 1980, could you
find the hardware to read it on, run a version of IMS that could recreate the
transaction, prove that no-one tampered with it 25 years ago and understand
the application well enough to make sense of the business behind the transac-
tion? Some people think that the only truly reliable audit records are human
-readable document images, written in duplicate (with each duplicate stored in
a different location) using standard document formats on robust media – but
the implementation details of this will depend on the precise requirements.
It is better to build audit trails into the system design and possibly copy them
securely into a system that only the auditors or internal control group, not the
usual system administrators, have access to. However, in practice, this is not
always easy: not all operating systems have fully granular security permissions,
with no ‘super users’ (in fact, few do). You perhaps need to give systems admin-
istrators the power to change everything except audit data (this may be needed
in order to fix problems) although you might want to provide controls on the
exercise of these powers; but you might also want to give the auditors the power
to see everything, including normally confidential data, but change nothing. When
you try to implement such schemes, you discover that you need a sophisticated,
rules-based security scheme but effective schemes like this aren’t common when
you delve into the details. Taking two examples from the past, Windows NT had
the granularity, but was too hard to manage and seldom implemented properly;
Novell Netware (after v4) had the sophistication and directory-based manage-
ability, but still supported ‘superuser’ (all powerful) IDs (including legacy admin
ID’s from a previous security model); neither implemented roles fully.
Encryption can come to your aid, not for Confidentiality but for non-repudi-
ation. By encrypting a hash total derived from a document and transmitting
the encrypted data alongside the document, you can prove that it hasn’t been
altered (by checking that the received document hashes to the same figure as
the original did); a similar approach can be used for ‘digital signatures’ (remem-
bering that an email, say, is effectively digitally signed anyway, in practice).
However, providing a hash signature for everything an auditor may ask about,
may prove impractical.
Process Director comes with a range of processes ‘in the box’: Select Perspec-
tive; Waterfall, Prince II (a UK Government sponsored project management
process); and ‘Alignments’ to DSDM, Agile/XP and others. You can use these
as a basis for developing a process customized to your own development require-
ments, without the risks associated with reinventing the wheel from scratch –
real IT governance. See a brief review of the product by Andrew Griffiths of
Lamri at [ADA2005-3, web].
Big claims but in our opinion, after talking to Ayman Gabarin, VP of IT Gover-
nance EMEA at Compuware, probably not unfounded.
CMDB is, in effect, an integration tool which federates the data from multiple
infrastructure monitoring and discovery tools into a cohesive logical whole –
that can reside on multiple physical platforms throughout an IT organization.
Mercury promises specific assistance with, for example, the key sections of
Sabanes-Oxley: Section 302, which requires CEOs and CFOs to sign statements,
under penalty of perjury, verifying the completeness and accuracy of company
financial statements; Section 404, which requires CEOs, CFOs and outside auditors
to attest to the effectiveness of internal controls for financial reporting; and Section
409, which requires companies to report material financial events immediately,
in real-time, instead of waiting for quarter-end. Mercury’s products include
comprehensive portfolio, program, and project management software and real-
time dashboards that can be configured for CIOs, CFOs and CEOs to provide
early warning of any project missteps, avoiding end-of-quarter surprises. They
also provide end-to-end process control over software changes including
enhancements, customizations, configuration, vendor patches and bug fixes;
logging of all changes across the development, test stage and production
landscapes; control over lifecycle processes and real-time project status.
Borland tools really do address most of the lifecycle, ranging from requirements
management with its innovative Caliber RM tool to model-driven development
with its Together products. However, perhaps what makes it stand out from an
IT governance point of view is its recent acquisition of Teraquest [TeraQuest,
web] (a CMMI consultancy), and focus on CMMI: it is actively pursuing CMMI
level 3 certification over this year and 2006 across all ALM products. Together
with its retention of Dr Bill Curtis of TeraQuest as Borland’s first Chief Process
Officer, this makes Borland a very interesting partner for process-focused IT
governance initiatives.
For instance, Telelogic claims that SYNERGY/Change is the ideal tool to define,
refine and deploy an Incident Management Process, as its process definition can
include lifecycles (workflows), states and transitions, attributes and formulas,
rules and access security.
The strength of Platform lies in its Business Service Object Model, effectively a
schema that should allow for the storage of an object’s state (where an object
may be anything from a whole service to an individual server), together with
the root cause of that state and its business impact. It appears that views into
this model can be customized for different audiences – always a useful feature.
Managed Objects also sells a specialised CMDB offering.
In the next chapter we look at some of the issues associated with actually imple-
menting IT governance.
Chapter 5
Implementing IT governance
Obtain management sponsorship .....................................................58
Implementing a formal IT Governance regime, assuming that you have only ad-
hoc or informal governance processes at present, involves (despite what some
vendors may tell you) a lot more than just buying some software – although once
you do have the required culture in place, tools can facilitate the initiative. A
first requirement is to align IT governance with corporate governance in general.
Think of this as high-level requirements gathering – what are the business gover-
nance issues that currently worry the Board and the company auditors, and what
questions would they like to ask or ‘more importantly, are they afraid to ask?
Try to talk in terms of business issues, not technical solutions, of being able to
demonstrate that the physical implementation of a bank’s money laundering
policy, for example, is tested against the policies discussed by the Board of Direc-
tors, not about implementing Model Driven Architecture and Applications
Lifecycle Management tools.
This discussion is only an input to your governance initiative. You can’t assume
that the Board’s concerns are the right concerns – because informal risk analysis
is often driven by media hype and by our tendency to concentrate on the most
recent crisis we experienced. After the IRA bombings in London, people moved
data centres down into the basement where they were safe from bombs but far
more vulnerable to flooding, which is far more likely to affect a building in London
than a bomb. Nevertheless, you’ll get no credit for your IT governance initia-
tive if you can’t sensibly address the one question the CEO wants to ask, when
he wants to ask it (even if the answer goes on to suggest that he/she may be
asking the wrong question).
• The Internal Control Group reports to the Board via the Governance
Committee – it is immune to local politics in the IT Group and in business
departments, and is focused on corporate strategy. Since it sets
requirements but isn’t responsible for systems delivery, it isn’t tempted
to interfere in technical matters that are properly the province of the
experts in the IT group.
• The Auditors report independently and confirm that the processes are
working by comparing practice against the agreed framework
everyone should be working to. If it is all working properly, the Auditors
should not find problems after the fact when they are expensive to
address because any problems should have been addressed proactively
during systems development/maintenance. However, if the process
is starting to fail, the Auditors should be able to proactively alert
management to the issue.
As with any other IT project, IT governance needs clear objectives and a budget
allocation; and a plan showing how these objectives will be achieved and how
A governance forum, in which workers at the sharp end can discuss governance
issues and suggest solutions in public (far more useful than mutterings around
the water cooler about some technically infeasible governance edict), is a good
idea. However, you must make sure that you document the action points from
such a forum and show the community that the issues it identifies are at least
given proper consideration (this is process management through feedback). It
is also important that such a forum represents both the business and IT points
of view, with fully informed and empowered attendees. If it becomes a cost-
focused drag on innovation (e.g.: ‘our job is to find out where the IT department
wants to spend money and stop it’) such a forum can be counterproductive.
The best way to do this is with diagrams, but the relationships involved are too
complex for this to be done manually. In addition, there is a strong risk that such
The best way to maintain such mappings is therefore with automated tools that
can generate the framework (at least) for automated systems from models relating
business processes to IT systems. Look for suites of systems development tools
(not necessarily from the same vendor) that support the entire development
lifecycle from business process modeling and requirements management, through
to coding and testing.
You also need BS7799-2:2002, the corresponding specification (which you can
certify against); and both are available as a package, with some extra material,
as the ISO 17799 Toolkit. ISO 17799 et al provides an excellent framework for
implementing security and ensures that you take a holistic approach, starting
with risk management (although it isn’t strong on the details of this) and covering
often-neglected areas such as business continuity. However, some form of
mentoring from an external security consultant is recommended too – it is diffi-
cult to make an unbiased assessment of risk and the threats facing you, from
inside an organization.
Tools to support IT risk assessment, implement ISO 17799 etc are available. Some
of these can be very useful but beware of concentrating only on those areas your
tools cover and neglecting business risk assessment as a whole: there is little
point in mitigating the IT risk affecting a system if the business risk is uncon-
trolled; and almost any IT security measures can be rendered ineffective if unhappy
or unjustly-treated staff can be compromised, or if physical access to the premises
and IT infrastructure isn’t effectively controlled. In the case of risk assessment
tools, in particular, investigate the provenance and localization of the threat
database that underlies their risk assessment facilities. A database relating to
US threats, say, may not be wholly appropriate in the UK, and a database that
is some years old may miss emerging threats (ideally, you should be able to add
threats from your own history to the database).
By its very nature, BSM must be cross-platform. Business users will not be happy
if business-friendly service level reporting and management stops abruptly when
their data strays onto the mainframe, for example. This is a serious governance
issue as discontinuities in the vocabulary and culture of service level manage-
ment and security facilitate breakdowns in IT governance at that point.
Defect and problem tracking and service desk support are closely related to config-
uration management.
enced risk assessor), including risks the organization hasn’t encountered yet,
and deal with the spectrum of contingency from minor service interruptions to
a full-blown disaster that eliminates a data centre in its entirety.
If you don’t build software, you need a similar process for implanting packages.
You still need to analyze business requirements, in order to choose a package
which best fits your business process and in order to assess the impact of the
business process embodied in the package on your existing business process.
And, you still need to test package applications, in case they don’t do what they
say they will, or you implement them incorrectly. If you customize a package,
this is really a small systems development project and similar QA measures are
necessary.
This is usually associated with a service desk function, which should aim for
pre-emptive identification and mitigation of emerging issues, ideally before they
have any impact on a business service. There are many sophisticated service
desk packages: BMC Remedy [Remedy, web], for example, or FrontRange’s HEAT
[HEAT, web].
Choose your metrics carefully – people tend to deliver what you measure, so if
you choose the wrong measures you may get the wrong results. Early attempts
to measure the quality of support staff, for instance, in terms of the number of
calls completed in a period resulted in a plethora of quick fixes and recurring
problems – because continual short-term fixes to the same problem made the
metrics look better. It might have been better to measure problems fixed without
recurrences and customer satisfaction rather than calls processed. After all,
provided it is accessible and servicing the calls it gets, the fewer calls a service
desk has to process, the more successful it is!
13. Reviews
Reviews of IT systems after changes have bedded in, in order to enable a ‘gap
analysis’ of the differences between aspiration and reality, followed by the sched-
uling of maintenance efforts aimed at reducing any gaps, is an important
characteristic of good IT governance. Sometimes, as with CMMI initiatives (see
Chapter 2), these reviews are part of a formal process but, regardless of how
you approach IT governance, there must be some sort of review and feedback
process. Change seems to be part of the nature of IT, so a static governance
system, however effective, is unlikely to stay effective for long.
Chapter 6
Conclusions
Chapter 6
Conclusions
“If it were done when ‘tis done, then ‘twere well it were
done quickly.”
SHAKESPEARE, MACBETH.
“We believe the market is the best regulator of corporate activity. For the market
to operate efficiently, however, we need a robust legal framework that ensures
that investors have full and accurate information on which to base their
decisions.
Following the collapse of WorldCom and Enron in the US, and miscellaneous
corporate scandals elsewhere, the Department of Trade and Industry (DTI)
reviewed all aspects of financial and audit reporting. We concluded that our
approach was fundamentally sound, but that the system could be strength-
ened in a number of ways. In particular, we expanded the role of the Financial
Reporting Council to provide independent oversight of the audit profession.
The European Commission has looked at these issues in parallel. One result
of their work is a proposal for a new 8th Company Law Directive on statu-
tory auditing – which updates the original 1984 Directive, and follows many
of the UK’s initiatives.”
This activity means that stakeholders in IT governance, even if they are indirect
stakeholders, are starting to ask questions that concern IT governance. An investor
in a company wants to be sure that the financial reports s/he relies on haven’t
been tampered with so as to misrepresent the true position of the company –
and also wants to be confident that they won’t contain errors that are the result
of program bugs or logic errors.
Our overall conclusion must be that good IT governance, in a form that can be
demonstrated to the stakeholders in an organization and interested third parties,
if appropriate, is now an explicit requirement for any IT group. A piecemeal
approach is likely to be expensive, as it will have to be repeated every time
So, the fundamental requisite for good IT governance is a ‘mature and capable’
organization – one that says what it is going to do, does it, measures the conse-
quences – and applies feedback in order to bring reality closer to the original
aspiration.
Appendix
Resources..............................................................................................73
Appendix
Resources
[8thDirCons, web] – http://www.dti.gov.uk/consultations/files/publication-
1371.pdf.
[ADA2004-1, web] – ‘Would Sir like his database managed?’, Ian Murphy,
ADA Jan/Feb 2004, archived at (registration required): http://www.appde-
vadvisor.co.uk/archive/index.php.
[Kaplan and Norton, 1992] – Robert Kaplan and David Norton, ‘The Balanced
Scorecard – Measures that Drive Performance’, Harvard Business Review,
1992
[Kaplan and Norton, 1996] – Robert Kaplan and David Norton, ‘The Balanced
Scorecard: Translating Strategy into Action’, Harvard Business School Press,
1996, ISBN 0-87584-651-3
[OECD, web] – The review process for the OECD Principles of corporate
governance http://www.oecd.org/document/26/0,2340,en_2649_201185_
23898906_1_1_1_1,00.html.
[OpenView, Web] –
http://www.managementsoftware.hp.com/solutions/bsm/.
[Reiss. 1995] – Geoff Reiss, ‘Project Management Demystified’, 2nd ed, 1995,
E and FN Spon, ISBN 0 419 20750 3.
[StandDir, web] – Standards Direct is a source for copies of the ISO 17799
security standard, and a useful source of other BSI standards,
http://www.standardsdirect.org/iso17799.htm. The ISO 17799 Service &
Software Directory, http://www.iso17799software.com/, is also a useful
resource.
[STR-DPA, web] – the UK’s anti-money laundering legislation and the Data
Protection Act 1998, guidance notes for the financial sector April 2002,
http://www.hm-treasury.gov.uk/mediastore/ otherfiles/money_laundering.pdf
[Turley, web] – ‘Get Ready for the EU’s 8th Directive’, James S Turley, Chairman
and CEO, Ernst and Young, Directorship, June 2004 –
http://www2.eycom.ch/library/ items/directorship_200406/en.pdf
Expert advice and techniques for the identification Failure to operate within UK and EU competition rules
and successful exploitation of key opportunities. can lead to heavy fines of up to 10 per cent of a business’s
total UK turnover.
This report will show you:
• how to identify and secure profitable opportunities
• strategies and techniques for negotiating the best Insights into successfully managing the
agreement in-house legal function
• the techniques of successfully managing a license BARRY O’MEARA £65.00
operation.
1 85418 174 2 • 2000
The Report will: For full details of any title, and to view sample
extracts please visit: www.thorogood.ws
• Improve your commercial awareness and planning
skills You can place an order in four ways:
• Enhance your legal foresight and vision 1 Email: orders@thorogood.ws
• Help you appreciate the relevance of rules and 2 Telephone: +44 (0)20 7749 4748
guidelines set out by the courts 3 Fax: +44 (0)20 7729 6110
• Ensure you achieve your or your client’s commercial 4 Post: Thorogood, 10-12 Rivington Street,
objectives London EC2A 3DU, UK
Inventions can be patented, knowledge can be What are the chances of either you or your employees
protected, but what of information itself? breaking the law?
This valuable report examines the current EU [and so The report explains clearly:
EEA] law on the legal protection of databases, including • How to establish a sensible policy and whether or
the sui generis right established when the European not you are entitled to insist on it as binding
Union adopted its Directive 96/9/EC in 1996.
• The degree to which you may lawfully monitor your
employees’ e-mail and Internet use
Litigation costs • The implications of the Regulation of Investigatory
MICHAEL BACON £95.00 Powers Act 2000 and the Electronic Communications
Act 2000
1 85418 241 2 • 2001
• How the Data Protection Act 1998 affects the degree
The rules and regulations are complex – but can be to which you can monitor your staff
turned to advantage.
• What you need to watch for in the Human Rights Act
The astute practitioner will understand the importance 1998
and relevance of costs to the litigation process and will • TUC guidelines
wish to learn how to turn the large number of rules to
• Example of an e-mail and Internet policy document.
maximum advantage.
S e e f u l l d e t a i l s o f a l l T h o r o g o o d t i t l e s o n w w w. t h o r o g o o d . w s
HR AND EMPLOYMENT LAW
Employee sickness and fitness for work – How to turn your HR strategy into reality
successfully dealing with the legal system TONY GRUNDY £129.00
GILLIAN HOWARD £95.00
1 85418 183 1 • 1999
1 85418 281 1 • 2002 A practical guide to developing and implementing an
Many executives see Employment Law as an obstacle effective HR strategy.
course or, even worse, an opponent – but it can contribute
positively to keeping employees fit and productive.
Internal communications
This specially commissioned report will show you how
JAMES FARRANT £125
to get the best out of your employees, from recruitment
to retirement, while protecting yourself and your firm 1 85418 149 1 • July 2003
to the full.
How to improve your organisation’s internal commu-
nications – and performance as a result.
Data protection law for employers There is growing evidence that the organisations that ‘get
SUSAN SINGLETON £125 it right’ reap dividends in corporate energy and enhanced
performance.
1 85418 283 8 • May 2003
The consequences of getting it wrong, for both employer You can place an order in four ways:
and employee, will be considerable – financial and 1 Email: orders@thorogood.ws
otherwise. The Act affects nearly every aspect of the work 2 Telephone: +44 (0)20 7749 4748
place, including:
3 Fax: +44 (0)20 7729 6110
• flexible working
4 Post: Thorogood, 10-12 Rivington Street,
• family rights (adoption, paternity and improved London EC2A 3DU, UK
maternity leave)
S e e f u l l d e t a i l s o f a l l T h o r o g o o d t i t l e s o n w w w. t h o r o g o o d . w s
SALES, MARKETING AND PR
Just what is meant by marketing communications, or This specially commissioned report aims to draw out the
‘marcom’? How does it fit in with other corporate main principles, processes and procedures involved in
functions, and in particular how does it relate to business tendering and negotiating MoD contracts.
and marketing objectives?
CHRIS GENASI £75.00 Understand how the EU works and how to get your
message across effectively to the right people.
1 85418 192 0 • 1999
Lobbying is an art form rather than a science, so there ENRON, WORLDCOM… who next?
is inevitably an element of judgement in what line to take.
At a time when trust in corporations has plumbed new
This expert report explains the knowledge and techniques
depths, knowing how to manage corporate reputation
required.
professionally and effectively has never been more crucial.
Tips and techniques to aid you in a new approach 1 85418 208 0 • April 2003
to campaign planning.
Seven out of ten organisations that experience a
Strategic planning is a fresh approach to PR. An approach corporate crisis go out of business within 18 months.
that is fact-based and scientific, clearly presenting the
arguments for a campaign proposal backed with evidence. This very timely report not only covers remedial action
after the event but offers expert advice on preparing every
department and every key player of the organisation so
that, should a crisis occur, damage of every kind is limited
as far as possible.
FINANCE
Tax aspects of buying and selling Practical techniques for effective project
companies investment appraisal
MARTYN INGLES £99.00 RALPH TIFFIN £99.00
This report takes you through the buying and selling How to ensure you have a reliable system in place.
process from the tax angle. It uses straightforward case
Spending money on projects automatically necessitates
studies to highlight the issues and more important
an effective appraisal system – a way of deciding whether
strategies that are likely to have a significant impact on
the correct decisions on investment have been made.
the taxation position.
S e e f u l l d e t a i l s o f a l l T h o r o g o o d t i t l e s o n w w w. t h o r o g o o d . w s
MANAGEMENT AND PERSONAL DEVELOPMENT
The gap
Far too few managers know how to apply project
management techniques to their strategic planning. The
result is often strategy that is poorly thought out and
executed.
The answer
Strategic project management is a new and powerful
process designed to manage complex projects by
combining traditional business analysis with project
management techniques.