(David Norfolk) IT Governance How To Control The (BookFi)

THOROGOOD
PROFESSIONAL
INSIGHTS
A SPECIALLY COMMISSIONED REPORT
IT GOVERNANCE
MANAGING INFORMATION
TECHNOLOGY FOR BUSINESS
David Norfolk
IFC
THOROGOOD
PROFESSIONAL
INSIGHTS
A SPECIALLY COMMISSIONED REPORT
IT GOVERNANCE
MANAGING INFORMATION
TECHNOLOGY FOR BUSINESS
David Norfolk
Published in 2005
Other Thorogood Thorogood Publishing Ltd

10-12 Rivington Street
Professional Insights London EC2A 3DU.
t: 020 7749 4748

f: 020 7729 6110
Internet and E-commerce e: info@thorogood.ws
w: www.thorogood.ws
Peter Carey
© David Norfolk 2005

Strategy Implementation Through
Project Management All rights reserved. No part
Tony Grundy of this publication may be
reproduced, stored in a retrieval
system or transmitted in any
Legal Protection of Databases form or by any means, electronic,
Simon Chalton photocopying, recording or
otherwise, without the prior
permission of the publisher.
Software Contract Agreements
This Report is sold subject to the
Robert Bond condition that it shall not, by way
of trade or otherwise, be lent,
re-sold, hired out or otherwise
Implementing E-procurement
circulated without the publisher’s
Eric Evans and Maureen Reason prior consent in any form of
binding or cover other than in
which it is published and without
Email – Legal Issues
a similar condition including this
Susan Singleton condition being imposed upon
the subsequent purchaser.
No responsibility for loss

occasioned to any person acting
or refraining from action as a
result of any material in this
publication can be accepted by
the author or publisher.
Special discounts for bulk quantities

of Thorogood books are available to
corporations, institutions, associations and A CIP catalogue record for
other organisations. For more information this Report is available from
contact Thorogood by telephone on
the British Library.
020 7749 4748, by fax on 020 7729 6110, or
email us: info@thorogood.ws ISBN 1 85418 371 0
Printed in Great Britain

by printflow.com
Contents
MANAGEMENT OVERVIEW:
DRIVERS FOR IT GOVERNANCE V
Management issues in IT governance......................................................vi
Definition of IT governance.......................................................................vi
1 CONTEXT: CORPORATE GOVERNANCE 1
2 EXTERNAL PRESSURES: WHAT REGULATIONS? 6

The response to apparent governance failures ........................................9
Legislative changes directly affecting IT governance ...........................12
General legislation with IT governance implications ............................19
3 ORGANIZATIONAL IMPACT 23
Culture ........................................................................................................24
Organizational maturity ............................................................................26
Roles and responsibilities .........................................................................30
Practical experience of governance ........................................................32
4 THE IMPACT ON IT 35
IT service management .............................................................................37
Lifecycle systems development process..................................................43
Management reporting: Telling a true story ..........................................49
Practical IT governance tools ...................................................................51
THOROGOOD PROFESSIONAL INSIGHTS

5 IMPLEMENTING IT GOVERNANCE 56
Obtain management sponsorship............................................................58
IT governance methodology overview....................................................58
6 CONCLUSIONS 68
APPENDIX 72
Resources....................................................................................................73
THOROGOOD PROFESSIONAL INSIGHTS

Management overview:
Drivers for IT governance
Corporate scandals such as Enron and perceived issues such as storage of illegal
pornography on company servers, money laundering and terrorism have led to
a change in the way law is applied to ‘limited companies’. Increasingly, the buck
stops with the directors (including non-executive directors) of a company – who
are held personally responsible for the actions of their companies and, in some
cases, face huge fines and possible imprisonment. There is no doubt that this
has increased Board-level interest in IT governance, as corporate fraud, use of
corporate resources for illegal purposes, sexual and racial harassment increas-
ingly occur in the digital domain. The latest legislation means that a director who
turns a blind eye towards what is going on in his or her computers and to what
may be stored on company servers will probably find that ‘ignorance is no excuse’.
However, although this has been an immediate driver, a moment’s reflection

will assure us that IT governance is a very positive thing for a company. Increas-
ingly, computers are mission critical; increasingly a company couldn’t function
without its computers and much of the worth of a company resides in ‘digital
IP’: intellectual property in digital form. This includes not only digital documents
but also company knowledge embodied in the algorithms implemented in
computer programs and the models and ‘repositories’ that are used to analyze
and validate business processes as part of software engineering generally.
If you are not in control of your IT resource, you are not in control of your company.
In the same way that your annual report is audited to ensure that it tells a ‘true
story’ about your financial position, your computer systems must be audited to
show that they tell a ‘true story’ in the management reports they provide, in the
databases they update and in the reports they send to your regulators.
Ultimately, you need to be a mature organization with a measurement culture

– ‘you can’t control what you can’t measure’. You must have well-defined organi-
zational goals, measure your progress towards these goals and apply corrections
– feedback – if you aren’t getting closer to these goals. This is commonly accepted
in business but a, largely unconscious, exception has commonly been made in
favour of the IT group. How do many organizations truly measure the ROI (return
on investment) from IT? How many organizations accept IT projects that are
‘late, over budget and wrong’ as the norm? How many managers know what
their IT staff actually do? How many organizations don’t accurately know how
many PCs they have and what programs run on them? How many organiza-
tions don’t have an overall picture of exactly what is stored on their servers?
THOROGOOD PROFESSIONAL INSIGHTS v

M A N A G E M E N T O V E RV I E W
When the directors of such companies accept responsibility for what their organ-
ization does and how it does it, how can they do so with any confidence at all?
Such a state of affairs cannot be allowed to continue.
Management issues in IT governance

• Providing an organizational structure that allows Board-level manage-
ment to set strategic goals and cascade these through the organization
down to the IT technicians implementing automated systems.
• Aligning IT strategy with business strategy.
• Providing an effective communications infrastructure that enables two-

way communication (feedback) between all the stakeholders in the
governance process, both internal and external.
• Providing effective low-level enforcement of business-focused govern-

ance policies in the IT sphere.
• Enabling the effective identification of IT-related risk in the context of

business service provision, and the translation of IT risk mitigation
measures into a business terminology.
• Providing metrics for the effectiveness of IT governance.
• Identifying a return on the investment in IT Governance in terms of

‘better, faster, cheaper’ business systems.
Definition of IT governance
IT Governance is that part of corporate governance in general which ensures
that automated systems contribute effectively to the business goals of an organ-
ization; that IT-related risk is adequately identified and managed (mitigated,
transferred or accepted); and that automated information systems (including
financial reporting and audit systems) provide a ‘true picture’ of the operation
of the business.
References
References in square brackets, e.g. [8th DirCons, web], refer to entries in the
Resources appendix, at the end of this Report.
THOROGOOD PROFESSIONAL INSIGHTS vi

THOROGOOD
PROFESSIONAL
INSIGHTS
Chapter 1
Context: Corporate governance
Chapter 1
Context: Corporate governance
“Modern capitalism – the model to which virtually

the whole world now aspires – is totally dependent
on high standards of governance.”
GEORGE COX, ERSTWHILE DIRECTOR GENERAL OF THE INSTITUTE OF DIRECTORS
According to George Cox when he was Director General of the Institute of Direc-
tors, in the Introduction to the director’s guide to ‘corporate governance’ [IOD,
2004], “Modern capitalism – the model to which virtually the whole world now
aspires – is totally dependent on high standards of governance”.
What he means by ‘governance’ is the overall and rigorous supervision of

company management so that business is done competently, with integrity and
with due regard for the interests of all stakeholders. And this is important, not
for altruistic reasons but because investors wouldn’t buy shares in a company
(or, rather, they’d insist in a considerable discount) if it wasn’t run that way. As
Alastair Sim, Director of Strategy and Marketing at SAS, points out in his Forward
to the same work [op. cit.], staying competitive involves maintaining investor
confidence. The best way to do this is to ensure the transparency of a company’s
operations to investors and other stakeholders, by supplying them with appro-
priate and trustworthy information (with due regard to business confidentiality)
and this is one of the main concerns of corporate governance, along with the
need to comply with applicable laws and regulations.
In the UK, the law is defined by statute; statutory instruments, which implement
Acts of Parliament and can materially affect the impact of a statute; and is further
developed in the courts by precedent – so determining exactly what the law says
is not always straightforward and taking expert advice is often a good idea. We
then follow a ‘comply or explain’ approach to governance. What this means is
that, for example, companies with a full London Stock Exchange listing have
to state that they comply with, for instance, the Combined Code (the consoli-
dated governance rules promulgated in June 1998) but can report exceptions
in certain areas, where they must explain the reasons for their departure from
the rules.
THOROGOOD PROFESSIONAL INSIGHTS 2

1 C O N T E X T: C O R P O R AT E G O V E R N A N C E
The Combined Code places great emphasis on the need to manage risk, which
is largely what the financial reports made available to the various stakeholders
are used for. As Peyman Mestchian, (Director, risk management practice, SAS
UK) puts it “the sensible company takes risks – but not gambles”. You must take
a holistic and objective view of risk – there is more to worry about than just finan-
cial risk. Reputation risk, for example, is frequently overlooked – until loss of
reputation starts to affect the financial bottom-line, when it is often too late to
mitigate it (a reputation that took years to build can be lost in months). The Turnbull
Report guidelines to governance for companies quoted on the UK stock
exchange talk about the risk associated with market, credit, liquidity, techno-
logical, legal, health and safety, environmental, reputation and business probity
issues, as well as financial risk. However, some risk is good – you can’t avoid
risk without forgoing the business opportunities associated with new kinds of
customers, new technologies and new products. In fact, risk avoidance is in itself
risky as it limits your opportunities for profit, and doing nothing is frequently
the worst possible response to an emerging issue. What is important is that
commensurate rewards are associated with the risks that you take, which implies
that you have access to reliable information that lets you forecast the rewards
and assess the risks with confidence.
Corporate governance ultimately depends on the good functioning of the Board

of Directors – and, increasingly, non-executive directors are asked to take respon-
sibility for deviations from good governance. Quoting Kerrie Waring,
international professional development manager at the IOD [op. cit.], “A well
functioning Board is key to the performance of companies and their capacity
to attract capital. A well-established corporate governance framework should
ensure that Boards monitor managerial performance effectively to achieve an
equitable return for shareholders and uphold the values of fairness, transparency,
accountability and honesty”.
You could say that the prime objective of IT governance is to help rather than
hinder the Board in its governance efforts, as part of a dynamic partnership
between business and technology. (Technologists enable business; business
rewards technologists.) In many organizations, the IT function is seen as a bit
of a loose cannon, subject to different standards, responsibilities and controls
to the rest of the organization; and, in the long term, this isn’t going to be good
for the careers of those employed by the IT function.
Corporate governance is often talked about in the context of publicly quoted

companies, because the shareholders in such companies form a wide and visible
set of stakeholders, and because stock markets underlie most economies these

days. However, similar considerations also apply to private companies, of course,

since although the stakeholders are different and the legal issues perhaps rather
simpler, the owners of the company still need access to reliable information as
to its operation.
Regulations in the USA, say, are generally more draconian these days – although
even Sarbanes-Oxley seems to be less prescriptive and more in the European
style than previous US regulations. This is actually an improvement, as it is harder
to merely comply with the ‘letter of the law’ if you can be assessed both on what
you consider to be appropriate internal controls and also on the effectiveness
of your implementation of these controls.
International corporate governance rules are also changing, but rules world-
wide seem to be generally moving in the same direction. Eventually, it is hoped
that the mission statement of the International Accounting Standards Board
(IASB) will come to fruition and we will have ‘a single set of high quality, under-
standable and enforceable global accounting standards that require transparent
and comparable information in general purpose financial statements’.
Which brings us to Information Technology (IT), since large amounts of infor-

mation are seldom stored, processed and retrieved manually these days. Your
financial reporting is only as good as the quality of the data reported. You must
be able to audit the lifecycle of this data from collection through to destruction:
you must be able to show where it comes from, who has access to it and that
any changes are properly authorized. IT can facilitate this: there is an issue with
the transparency of IT (few businessmen are completely comfortable with code
analysis) but business policies can be rigorously enforced in unambiguous
computer code and any risk of manual error mitigated. Well, up to a point –
‘garbage in = garbage out’ applies and IT systems only do what they are told
to do. This is, of course, a governance issue: the policies embodied in the
automated systems must be aligned with corporate policy, the instructions input
to the IT systems must be the right instructions, and the accuracy of the trans-
lation of these instructions into code must be tested.
IT is also increasingly a major source of risk in companies:
• IT facilitates worldwide access to internal systems, increasing the

opportunity for fraud and data theft.
• The scope of impact of IT systems failure can be company-wide.
• IT projects are frequently an enabler for new business; in fact, IT systems

are increasingly central to the operation of many companies.

• Despite the importance of IT, according to the Standish Group Chaos

Reports [Standish, web], over 80% of IT projects come in late, over
budget or wrong (and frequently all three) – over a quarter are cancelled
before they are fully implemented.
The Board needs to recognize the risk factors affecting IT projects: very large
projects, visible projects, projects crossing geographical or departmental
boundaries, projects using new technology projects particularly dear to the
Board’s heart are all particularly risky.
IT development failures or operational failures are equally matters of corporate

governance. When Nick Leeson brought down Barings, there was a real failure
of banking governance – essentially, it simply isn’t good practice to allow traders
to make their own settlements. However, you can equally see this as partly an
IT governance issue:
• The technology is available to enforce governance policies.
• Positions and limits can be reported transparently to management.
• The calculation of settlements can be removed from the possibility of

human error.
What technology can’t do, of course, is to inculcate common sense in the Board
or counteract complacency or greed. Increasingly, a technical failure that is
allowed to affect the operation or reputation of a company is being seen as a
failure of corporate governance – as, of course, it is.
The next chapter looks at the legal framework underlying governance gener-
ally in the context of IT governance specifically.

THOROGOOD
PROFESSIONAL
INSIGHTS
Chapter 2
External pressures:
What regulations?
The response to apparent governance failures ..................................9
Legislative changes directly affecting IT governance .....................12
General legislation with IT governance implications ......................19

Chapter 2
External pressures:
What regulations?
“I think the reason that we are seeing an increase in ITIL®

[say] over the last 9 months is due to Sarbanes-Oxley. They
have to look at it, it’s not a question of should we/shouldn’t
we, they do have to look at the process issues.”
THOMAS MENDEL, PRINCIPLE ANALYST, FORRESTER RESEARCH.
It is a mistake to see IT Governance as purely a response to external regulatory

pressures, as this engenders a fundamentally unsound attitude: governance
becomes seen purely as a cost, a cost of doing business, over which you have
no control.
In fact, IT governance should be seen as a way in which the Board can ensure
that IT resources are deployed and managed cost-effectively, in the pursuit of
business strategy. The ultimate aim of IT governance is better, faster, cheaper
business.
Nevertheless, one aspect of this is the transparency that ensures that all the stake-
holders in a business can satisfy themselves that the business is being carried
out honestly and ethically, in the interests of the business (and community) as
a whole, instead of the dysfunctional interests of particular parties. In the extreme,
IT Governance is about mitigating the risk of internal IT-assisted fraud,
probably a far greater potential disaster to a company than the high profile risk
of external hacking. The positive benefit from this transparency is that you can
demonstrate the probity and reliability of your company to third parties: business
partnerships will be easier to arrange (thus enabling greater automation of inter-
business processes or ‘straight through processing’) and that raising investment
capital (from shareholders) should be easier.
Unfortunately, it must be apparent that corporate governance in general has

had a bumpy ride at the end of the last century and the beginning of this one.
The Bank of Credit and Commerce International survived conventional auditing
for years, despite being run as a criminal enterprise (a fact apparently known
to many inside the banking industry, where it was sometimes referred to as the

2 E X T E R N A L P R E S S U R E S : W H AT R E G U L AT I O N S ?
Bank of Crooks and Conmen International). It became apparent that many people
held more non-executive directorships than they could manage if they were really
overseeing the governance of the companies they held them with, and were
treating them simply as a rewarding perk; and then Enron threatened to make
the idea of corporate governance a joke.
Since a lack of confidence in the operational probity of commercial organiza-

tions threatens the very fabric of international commerce, governments rapidly
began to investigate the issue of what proper internal control should be – and
then to tighten up regulatory legislation. This generally addressed corporate
governance in the widest sense but, unavoidably, had implications for IT gover-
nance specifically.
Fortunately, most new legislation is no longer purely prescriptive (that is, it doesn’t
just specify a list of more-or-less arbitrary rules) but attempts to engender ‘good
practice’ and foster ‘organizational maturity’. A company that satisfies the spirit
of Sarbanes-Oxley, for example, will be a better-managed company, able to
measure the effectiveness with which it aligns IT objectives to business objec-
tives, able to demonstrate the effectiveness and honesty of its financial reporting
– and able to operate more cost-effectively as a result.
Even so, there is a lot of new legislation surrounding financial reporting and
internal control generally, which the IT group must be aware of. It is always
going to be more effective in the context of an evolving business and rapidly
changing technology if IT governance is built into automated systems from the
start. This means adopting a lifecycle development and maintenance process,
which treats regulatory requirements as equal in importance to the other business
requirements and implies that automated systems are tested against scenarios
derived from applicable legislation. In general, the IT group can expect business
stakeholders in an automated system to tell it what the regulatory requirements
are, but the IT analysts must question what they are told and ensure that automated
systems can satisfy ‘non functional’ requirements for effective audit trails, access
controls and systems resilience, which originate in governance-promoting legis-
lation. In turn, this means that they must be aware of what legislation exists and
what sort of controls it mandates, at least so they can have sensible conversa-
tions with business managers as to what is needed.

The response to apparent governance failures

There are several commissions/committees etc that have reported on corporate
governance and which provide a background to IT governance. Broadly speaking,
these seem to have had wide influence, so that the Cadbury Report in the UK, for
example, may well influence US legislators formulating US legislation.
Committee of Sponsoring Organizations of the Treadway

Commission (COSO)
As long ago as 1985, The National Commission on Fraudulent Financial
Reporting (the Treadway Commission) was set up under joint sponsorship by
the American Institute of Certified Public Accountants (AICPA), American
Accounting Association (AAA), Financial Executives International (FEI), Insti-
tute of Internal Auditors (IIA) and Institute of Management Accountants (IMA,
formerly the National Association of Accountants) to address the issue of fraud-
ulent financial reporting. It resulted in the setting up of a task force under the
auspices of the Committee of Sponsoring Organizations of the Treadway Commis-
sion (COSO), which developed a set of practical, broadly accepted criteria for
establishing internal control and then evaluating its effectiveness. In 1992, this
issued the Internal Control—Integrated Framework, commonly called the COSO
framework, which has in turn influenced other initiatives, such as COBIT (Control
Objectives for Information and related Technology) from the IT Governance Insti-
tute. COSO was developed in the USA but has influenced thinking on internal
control and governance worldwide.
COSO describes an internal control process, run by the Board with the co-opera-
tion of an organization’s management, which addresses the need for:
• effective and efficient operational processes;
• reliable and truthful financial reporting processes; and
• compliance with all applicable laws and regulations.
Report of the Committee on the Financial Aspects of Corporate

Governance (Cadbury Report, 1992)
This began the process of formalizing corporate governance in the UK and
included a code of best practice. It was extended to cover, for example, corpo-
rate pay by the Greenbury Committee.

Combined Code on Corporate Governance (UK)

In 1995 a review of corporate governance in the UK started under the chair-
manship of Sir Ronald Hampel, culminating in the Final Report: Committee on
corporate governance, issued in Jan 1998. In June 1998, this resulted in the
Combined Code [CC, web], which has more or less regulated corporate gover-
nance in the UK since, although it has been developed further (see The Higgs
Review, below).
Organization for Economic Co-operation and Development

(OECD), Principles of Corporate Governance
These were first published in 1999 and updated following a consultation process
started in 2004, with representatives from, for example, business, trade unions
and governments. The principles assert such things as the right of investors to
nominate and elect company directors, question companies on their compen-
sation policy and to ask questions of the auditors. The OECD also expects Boards
to protect whistle-blowers by allowing them confidential access to someone on
the Board. It is expected that the final version of the principles will be submitted
to OECD governments for approval at the annual meeting of the OECD Council
at Ministerial Level on 13-14 May 2005. The review process for the OECD Princi-
ples of corporate governance is described at [OECD, web].
Bank for International Settlements (BIS), Enhancing Corporate

Governance in Banking Organizations
The Bank for International Settlements (BIS) is an international organization that
fosters international monetary and financial cooperation and serves as a bank
for central banks. The head office is in Basel, Switzerland and it has represen-
tative offices in the Hong Kong Special Administrative Region of the People’s
Republic of China and in Mexico City. It was established in 1930 and is the world’s
oldest international financial organization. The BIS report, Enhancing corpo-
rate governance in Banking Organizations (1999) [BIS, web], is a useful
summary of the principles of corporate governance in 1999, referencing the Basel
Committee etc. The BIS site is generally a useful source of information on banking
governance.

Internal Control: Guidance for Directors on the

Combined Code (Turnbull Report)
The Turnbull Report was issued in 1999 and adopting its recommendations
[Turnbull, Web] is mandatory for companies quoted on the UK Stock Exchange,
but the recommendations are far from prescriptive, although companies will
find them sufficiently challenging. They call for Audit Committees to adopt a
broader role in corporate governance and reiterate that the Board should maintain
an effective internal control regime. This implies accuracy and transparency in
the IT reporting systems that must be a foundation of any such effort.
The Financial Reporting Council announced a review of Turnbull in July 2004,

which should be published in time for it to take effect in accounting periods
starting on or after 2006. This review is to ensure that the Turnbull guidance
still achieves its intended effect, in the light of UK and international experience
since 1999. Turnbull at present is concerned with the spirit of corporate gover-
nance and isn’t very prescriptive; it remains to be seen whether this review will
make Turnbull more prescriptive, along the lines of Sarbanes-Oxley (which is
more prescriptive and longer than Turnbull, although less purely prescriptive
than is usual with US regulations), and what effect this will have. The UK Auditing
Practices Board promises to revise its Bulletin 2004/3 on The Combined Code
on corporate governance: Requirements of Auditors under the Listing Rules of
the Financial Services Authority [ASB, web] in the light of any changes to Turnbull,
for example.
IT Governance Institute, Control Objectives for

Information and Related Technology
The Control Objectives for Information and related Technology (COBIT) is an
important framework developed by the IT Governance Institute in the context
of COSO and is built on the premise that the role of IT is to deliver the infor-
mation that an organization needs in order to meet its objectives. IT Governance
is then the process that ensures that it satisfies this role adequately. A useful
introduction and overview of COBIT is contained in the Board Briefing on IT
Governance, from the IT Governance Institute [BoardBrief, web].
The Higgs review

Derek Higgs was commissioned by the DTI to review the role and effectiveness
of non-executive directors in the implementation of good corporate governance.
He reported in 2003 with a set of suggested changes to the Combined Code,
which was republished accordingly in that year.

The Combined Code is now under the auspices of the Financial Reporting Council
(FRC) and further changes can be expected as and when needed to ensure that
it remains relevant in the face of changing business conditions and technologies.
Legislative changes directly affecting

IT governance
Legislation is what actually affects IT governance and it is important to actually
read the legislation, as well as any guidance notes or press releases. Many vendors
seek to generate sales from high profile legislation and only by referring to the
legislation itself will you discover that there may be, for example, exceptions
for smaller companies or wider issues that make a vendor’s ‘silver bullet’ solution
unlikely to be effective. For example, ‘SOX kits’ are appearing which promise
to deliver Sarbanes-Oxley compliance – but in the absence of an active and well-
understood process framework it is unlikely that these will deliver more than
compliance with the ‘letter’ of the law on the day that they are delivered. Since
directors are supposed to revisit internal controls whenever anything which might
affect them changes, it is likely that any ‘silver bullet’ will prove to be expen-
sive in the longer term, may well prove not to deliver the compliance with the
spirit of the law that regulators expect – and won’t deliver the organizational
benefits possible from a holistic approach.
Of course, if you put in place the frameworks, processes and organizational

maturity necessary to comply with the spirit of Sarbanes-Oxley, say, you may
find a ‘silver bullet’ technology that meets your needs – but it is then hardly just
a silver bullet.
The Companies (Audit, Investigations and Community

Enterprise) Act, 2004, in conjunction with the Companies Acts
1985 and 1989
This is the latest amendment to what is usually called the Companies Act [Compa-
niesAudit. Web], which regulates businesses in the UK. It’s a bit of a hotchpotch
of different regulations and must be read in conjunction with the Acts it amends.
It talks about auditors at the beginning and about a new type of company at
the end, but in the middle it, in effect, sets up an equivalent to the US Sarbanes-
Oxley Act (see below) in the UK. It is less prescriptive and detailed than SOX,
but the devil will be in the detail of how the regulators and law courts interpret
the Act.

So, it is a matter of some concern that in a survey commissioned by Netegrity

in 2004 of 281 security and compliance decision-makers in a range of UK compa-
nies across a number of sectors [Netegrity, 2005], over half of the respondents
weren’t aware of The Companies (Audit, Investigations and Community Enter-
prise) Act, 2004. It is perhaps interesting that just over half were also confident
that they’d meet the deadlines associated with current legislation – the survey
doesn’t correlate the answers to these questions, so it isn’t possible to decide
whether this is confidence born of optimism or ignorance.
The new Act comes into effect in stages, but the sections affecting IT Gover-
nance came into effect in April 2005. This didn’t give companies long to prepare.
The new Act defines the obligations and powers of company auditors in more
detail than before and probably means that pulling the wool over the eyes of
the auditors will become harder. The auditors have strong rights of access to
all the company’s books and can require people to answer almost any questions
that they think are important to their audit – even people that are no longer
employed by the company – and can require the company to obtain informa-
tion from overseas subsidiaries.
Failure to supply relevant information needed by the auditors will usually be a

criminal offence, punishable by a fine or imprisonment, or both. The Act states
‘If a person knowingly or recklessly makes to an auditor of a company a state-
ment (oral or written) that (a) conveys or purports to convey any information
or explanations which the auditor requires, or is entitled to require... and (b),
is misleading, false or deceptive in a material particular’, then the person is guilty
of the offence. An offence is also committed if someone delays in giving required
information (without good reason) and the auditors can always obtain an injunc-
tion to enforce their rights anyway.
This section of the Act has serious implications for IT governance, always remem-
bering that the detailed impact will depend on the attitude of the courts in
interpreting it. It implies that any information likely to be required by an auditor
should be easy to extract from automated systems, and that its provenance and
reliability can be demonstrated. Since it cannot be determined in advance precisely
what will be required or what criticism will be made of the quality of any infor-
mation supplied, this has serious implications for the technical design of IT
systems. If you don’t have an authoritative audit trail for a piece of information
before the auditors ask for it, it may be very hard to implement one ‘after the
fact’ – if all and sundry could access the information and change it proving its
authenticity may be impossible or, at the very least, may involve very expen-
sive and time-consuming analysis of systems logs.

What this also means is that company management, and its directors in partic-
ular, will have to think in advance about the sort of information the auditors
might need and ensure that systems are designed to provide it (or can be easily
modified to provide it) as and when required. This policy then forms a ‘non
functional requirement’ for systems development in general – which developers
must be made aware of. Similarly, the provision of robust audit trails for finan-
cial information becomes a general non-functional requirement.
Further, the only practical way you can be sure that your policies concerning
the provision of audited financial information have actually been adopted in the
automated systems that you use, is to implement recognized ‘industry best
practice’ processes for the development of automated systems and the opera-
tional management of the infrastructure that they run on – such as the Dynamic
Systems Development Method [DSDM, web] and the IT Infrastructure Library
[ITIL®, web] procedures. Beyond even this, a company might find that process
improvement (the ability to say what you are going to do, measure what you
actually do and apply changes to the process that reduce any gap between aspira-
tion and achievement) helps it address regulatory criticisms in a cost-effective
way and cope with changing circumstances. One recognized process improve-
ment regime for IT organizations is CMMI (Capability Maturity Model
Integration) from the Software Engineering Institute [CMMI, Web].
Under the new Act, the company report must contain a statement from each
of the company directors at the relevant time, to the effect that there is no relevant
audit information of which the auditors are unaware (as far as the director knows),
and that he or she has taken all appropriate steps to make him or herself aware
of such information and to bring it to the attention of the auditors. This is very
similar to the requirements of American SOX legislation.
In order to fulfill his or her duties as a director, a director is expected to commu-

nicate with his/her fellow directors and to have taken ‘such other steps (if any)...
as were required by his duty as a director of the company to exercise due care,
skill and diligence’. The director is thus expected to be reasonably well-informed,
although only to have ‘the knowledge, skill and experience that may reason-
ably be expected of a person carrying out the same functions as are carried out
by the director in relation to the company’, unless he or she has other specific
skills.
This implies traceability from policy through to execution, rather than any expec-
tation that the director should check any code for him/herself. However, if the
director is also Chief Technical Officer and a skilled programmer, say, he or she
might be expected to have some responsibility for poor IT systems QA – resulting

in code that doesn’t implement company policy or which implements fraudu-

lent practices. It’s hard to predict exactly how the courts will view this part of
the Act but when governance becomes a real issue for a company it’s hard to
believe that any director who has attended college in the last 10 years, at least,
can reasonably claim total ignorance of what constitutes good practice in IT
systems development or operations, as most students attend at least some
computer science courses at some stage in their education.
Actually falsifying director’s statements in an approved company report is, of

course, an offence punishable by a fine, imprisonment, or both. This applies not
only to the director making a false statement but also to any other directors that
knew the statement was false or who didn’t try hard enough to find out whether
the statement was true, or who didn’t take reasonable steps to stop a report
containing false statements from being approved and issued.
The Act appears to make life easier for directors in one aspect, by relaxing current
prohibitions on companies from indemnifying Directors against their liabilities
to third parties; it also allows companies to pay director’s defence costs if they
are taken to court. Nevertheless, such indemnification is largely illusory (and
very tightly controlled), because it is made in the form of a loan, which is immedi-
ately repayable if a director is convicted of a criminal offence or fined by regulatory
bodies. Such indemnification is also open to shareholder inspection.
Other parts of the new Act deal with the supervision of accounts and handling
of defective accounts; and identify the bodies responsible for accounting
standards. The powers of the Financial Reporting Review Panel are increased
so that it will now be able to look at interim as well as annual accounts and reports
and will be able to compel companies it is investigating to supply necessary infor-
mation. In some circumstances, the Panel can also obtain information from the
Inland Revenue if this is needed to prove an account defective.
Overall, it appears that the net result of the Companies (Audit, Investigations
and Community Enterprise) Act, 2004 will be that those directors that have heard
of it will begin to take a more active interest in whether their IT reporting systems
present a true and complete picture of what is going on in company financial
systems – and one that can be defended to third parties. IT Governance is likely
to be on the Board agenda as part of corporate governance – and all concerned
should be aware of this new Act.

Sarbanes-Oxley Act (USA)

Sarbanes-Oxley (SOX, [SOX, Web]) is US legislation but it is very high profile.
Mark Mitchell of Informatica has met UK companies that are not subsidiaries
of US companies or listed on US stock exchanges, that claim to have a strategy
involving Sarbanes-Oxley compliance. This is usually revisited when he points
out the likely cost of this (although there are reasons for pre-emptive compli-
ance: the prospect of takeover by a US company, perhaps). Effective IT
governance is a worthwhile goal but compliance with any regulations that don’t
specifically apply to you, without a clear business reason, is very unlikely to be
cost effective.
Nevertheless, SOX does affect many UK companies. In the Netegrity Security

and Compliance Survey [op. cit.], however, only 15% of respondents thought
that it was important. It seems rather unlikely that 85% of UK companies are
neither listed on the NY Stock Exchange nor NASDAQ; nor are offshoots of US
companies; nor doing significant business with US companies (in which case
they’ll need to supply the information their partner needs to satisfy SOX); nor
likely to be taken over by, nor merge with, a US company.
Generally, SOX involves implementing an internal control framework such as

COSO (see above) – and only a recognized control framework that is established
by a body or group that has followed due process procedures, including the
broad distribution of the framework for public comment, will be accepted.
The essence of SOX compliance seems to be that you build a rod for your own
back. You must develop a defensible approach to internal control for your business
(and this can be criticized), and then you devise a defensible approach to internal
control for your systems and then you must demonstrate that you are adhering
to your own rules. In other words, it’s not simply a case of adhering to the rules,
there’s an effectiveness measure too (and this is more along the lines of European
regulatory practice).
The impact on IT is that it must facilitate this process, by building into its systems
and processes facilities that provide the information needed by SOX, the audit
trails needed to assure the integrity of this information, and so on. The IT Group
must also be aware of ‘Silver Bullet’ solutions: cosmetic ‘quick fixes’ for compli-
ance, that are a constant maintenance overhead when the business changes
[Faegre, web].
The two sections with most impact on IT are 302 and 404(a), which deal with
the internal controls that should be in place to ensure the integrity of a company’s
financial reporting and this will impact directly on the software that controls,
transmits and calculates the data used to build the company’s financial reports.

SOX SECTION 302
Since August 29, 2002, Section 302 has made CEOs and CFOs commit to the
accuracy of their company’s quarterly and annual reports. They must state:
1. That they have viewed the report.
2. That to the best of their knowledge, the report contains no untrue

statement of a material fact and does not omit any material fact that
would cause any statements to be misleading.
3. That to the best of their knowledge, the financial statements and other
financial information in the report fairly present, in all material
aspects, the company’s financial position, results of operations and cash
flows.
4. That they accept responsibility for establishing and maintaining

disclosure controls and procedures, and the report contains an
evaluation of the effectiveness of these measures.
5. That any major deficiencies or material weaknesses in controls, and

any control-related fraud, have been disclosed to the audit committee
and external auditor.
6. That the report discloses significant changes affecting internal controls

that have occurred since the last report, and whether corrective actions
have been taken.
There are serious civil and criminal penalties for making untrue statements in
the areas above, so C-level executives are placing considerable trust in the integrity
of their IT systems and the people developing and supporting them. Which means
that they will start taking an interest in the IT process and that this will likely
become seen as an area C-level executives worldwide should be interested in
– even if SOX isn’t involved.
SECTION 404(A)
If Section 302 might have onerous implications for executives, Section 404 sets
out the rules in detail (and you should check the Securities Exchange Commis-
sion (SEC) website [SECSOX, web] for the latest details and implementation dates).
In September 2003 the SEC said, “We recognize that our definition of the term
‘internal control over financial reporting’ reflected in the final rules encompasses
the subset of internal controls addressed in the COSO Report that pertains to
financial reporting objectives”.

The SEC expects to see an Internal Control report in a company’s annual report
that:
• states that company management is responsible for establishing and

maintaining adequate internal control over financial reporting for the
company;
• identifies the framework against which the effectiveness of this

internal control is assessed by management;
• assesses the actual effectiveness of a company’s internal controls in

practice; at the latest financial year-end; and
• states that the company auditor has checked out the management’s
assessment of its internal controls.
Not surprisingly, perhaps, in view of its general findings, the Netegrity Security
and Compliance Report [op. cit.] found that about a third of those that thought
SOX was important (only 15% of the total, remember) weren’t spending any
money on technology to facilitate compliance with Section 404; and a further
third were spending less than £50,000. In the light of this, it will also be no surprise
that almost 90% of them either weren’t sure that they’d manage to get their
internal controls accredited against SOX, or thought it not likely. Leaving aside
the question of penalties, is it possible that prospective partners in, investors
in, or purchasers of a business, might think a business that couldn’t satisfy SOX
Section 404 represented an increased risk over investing in, say, a more compliant
organization? One would certainly think so.
The 8th Directive on Company Law in the EU

This is the European equivalent to Sarbanes-Oxley [8thDirCons, web] and could,
if it is agreed, be implemented in UK law during 2006. The UK Department of
Trade and Industry supports many of the proposals, which seem similar to UK
initiatives on, for example, auditor independence and independent monitoring
and public oversight, and it supports the adoption of International Standards
on Auditing (ISAs) in the EU. However, the DTI is (as usual) interested in a better
balance between principles and detailed rules (presumably this reflects UK
concern with the spirit rather than the letter of company law) and in the princi-
ples of subsidiarity and proportionality.
James S Turley, Chairman and CEO, Ernst and Young [Turley, Web] sees this
as a welcome step towards global corporate governance standards. It certainly
underlines the global nature of commerce today and hence the need for global
regulation.

Basel II and the EU’s CRD

The Basel Committee on Banking Supervision issued a revised framework for
capital adequacy (credit risk management) generally known as the Basel II (or
Basel 2) accord in June 2004. This comes into full effect in 2007. In July 2004,
the European Commission published a Capital Requirements Directive (CRD)
to bring Basel II into European Union (EU) law (although some aspects of CRD
are not yet finalized).
Basel II will have a significant impact on banking processes and the IT systems
that implement and support them – largely in the area of credit risk profiling
and monitoring. The UK FSA issued a consultative paper ‘Strengthening capital
standards’ in January 2005 (consultation closed at the end of April 2005), putting
forward the options for implementing CRD in the UK.
Basel II is of great importance to banks, but probably won’t affect companies

in general very much. However, for financial institutions, Basel II has some quite
subtle implications. Especially as some financial observers think that banking
is all about the serious business of trying to evade the letter and spirit of the
new accord, without being ambushed by the small print. Risk management is
not particularly deterministic and the new rules may simply mean that risk is
transferred to less (or differently) regulated subsidiaries. This could certainly
result in some challenges for the IT group – a need for rapid changes to finan-
cial systems as risk arbitrage opportunities arise and disappear. This will be an
environment not especially friendly to IT governance (higher levels of
capability/maturity may not be particularly appropriate, for example) but business
needs must rule and IT risk must still be managed (look what happened to Barings
when controls were relaxed for a new business environment).
And, problems appearing with Basel II in practice, as it is implemented, will almost

certainly result in a Basel III accord before too long.
General legislation with IT governance

implications
A great deal of legislation has implications for the design and implementation
of IT systems – and always remember that IT isn’t a special case. The Internet,
for example, is often thought of as unregulated, because much legislation was
formulated before the Internet came along or without any particular reference
to it. In truth, however, it is over-regulated, since existing legislation usually applies
to it anyway, whether appropriate or not. Of course, some of this legislation

would be very hard to enforce, but inappropriate legislation that is only errat-
ically or arbitrarily enforced is hardly a sound basis for electronic or
computer-supported commerce.
One of the objectives of corporate governance in the COSO framework is ‘compli-

ance with all applicable laws and regulations’. In the IT world, this means that
you must address, at least (the list isn’t exhaustive):
• The Freedom of Information Act (UK) [FI, web] or the equivalent in

other countries. This does only apply to government services, but it
will affect the design of information storage and retrieval systems for
such services (not only must information be retrievable but the
performance impact of this must be considered).
• Data Protection regulations; for example, the Data Protection Act (UK)
[DPA, web] and legislation throughout Europe enforcing the EU Data
Protection Directive. Not only must you protect personal information,
which you can only collect and use for specified purposes, you must
destroy it securely when it is no longer needed and provide facilities
for the subjects of personal data to access and correct it.
• Intellectual Property (IP) protection; for example, the UK Copyright,

Designs and Patents Act and others [Copyright Act, web]. In many cases,
the most valuable property in a company is its IP and it is particularly
hard to manage technology IP, because a lot of it is still in people’s heads.
An important related issue these days is software licensing. Unlicensed
software may have been ‘hacked’ crudely and made unreliable, or even
insecure, although it is hard to see that this makes it much worse than
some legitimate products. However, it is illegal and the activities of
organizations such as the Business Software Alliance [BSA, web] or
FAST (the Federation Against Software Theft) [FAST, web]) makes even
unintentional use of unlicensed software unacceptably risky. In January
2004, The Federation reinforced its use of criminal proceedings to crack
down the misuse of software under s.109 of the Copyright, Designs
and Patent Act 1988. Companies have been prosecuted even while in
the process of addressing their licensing issues, and the interruption
to business (from confiscated computers etc.) and loss of reputation,
may be a bigger problem than the fine.
• Health services and pharmaceutical regulations such as, for example,

the US Health Insurance Portability and Accountability Act of 1996
[HIPAA, web], and various pharmaceutical industry regulations
worldwide. The pharmaceutical industry is particularly highly regulated.

• Telecommunications regulations such as the Regulation of Investigatory

Powers Act (RIPA) [RIPA, web]. This impacts the interception of
electronic communications and the use of encryption technology.
• The Health and Safety at Work Act in the UK [HAS, web]. This applies
to workers in IT just as much as anywhere else. It isn’t perhaps an IT
governance issue, exactly, but it is important to remember that IT
workers are not exempt from Health and Safety issues – and some of
these (the impact of computer monitors on eyesight and Repetitive
Strain Injury (RSI) from keyboard use, for example) are particularly
related to computer use.
• The WEEE Recycling Directive [WEEE, web]. This probably won’t

impact end-users of IT much, but it may impact Operations, as most
electronic equipment must now be recycled when it is disposed of
(luckily, the vendor probably has to arrange this).
• The Disability Act, 1995 [Disability, web]. Again, like Health and Safety,
IT organizations are not exempt. In particularly, web sites must be
designed to facilitate access by the differently abled. The key standard
in this area is probably the Web Content Accessibility Guidelines 1.0
(1999; work continues on these and a Working Draft 2.0 was produced
in 2003), created by the Web Accessibility Initiative of the W3C [WCAG,
web].
• Anti-Money Laundering legislation, which (in the UK) is embodied in

several pieces of primary legislation: the Criminal Justice Act 1988
(as amended), the Drug Trafficking Act 1994 and the Terrorism Act
2000 (as amended). This largely, although not exclusively, affects banking
and financial organizations, which must make Suspicious Transaction
Reports (STRs), if money laundering is suspected, to either the law
enforcement authorities or to the relevant Money Laundering
Reporting Officer (MLRO).
Obviously, automated financial processing systems may have to recognize suspi-

cious transactions and this may impact IT systems design; there is also a possibility
that STR processing may appear to conflict with the requirements of the Data
Protection Act (since ‘tipping off’ the subject of an STR is illegal) and this may
also have an impact on IT systems design or operation [STR-DPA, web]. Anti-
Money Laundering legislation introduces its own risks too – what should a bank
do if it finds that its best and most profitable customers are probably money
launderers but it can’t really afford to lose their business?

Publications such as Gee’s IT Policies and Procedures [ITPP, 2004] attempt to

guide subscribers on the current state of such legislation and are regularly
updated, but you should always take professional advice as to the exact impli-
cations of legislation, if it affects you specifically.
In the next chapter we look at the impact of IT governance on the organisation

in general.

THOROGOOD
PROFESSIONAL
INSIGHTS
Chapter 3
Organizational impact
Culture ..................................................................................................24
Organizational maturity......................................................................26
Roles and responsibilities ...................................................................30
Practical experience of governance ..................................................32

Chapter 3
Organizational impact
“It is a society’s entire governance culture that affects its

long-term development. Its institutions of governance as a
whole – corporate and public governance together – rather
than any of them alone are what matter.”
FROM THE FLYER FOR ‘GOVERNANCE CULTURE AND DEVELOPMENT: A DIFFERENT PERSPECTIVE
ON CORPORATE GOVERNANCE’ BY NICOLAS MEISEL, ON THE OECD WEBSITE.
Culture
Good IT governance doesn’t exist in a vacuum. However experienced your IT
staff are, and however good the practices they follow, you don’t have good IT
governance unless these practices are institutionalized as part of a formal process
that is regularly assessed and updated in the light of changes to the business
or technology.
If you just ‘do it right, because that’s how we do things’, even if you are successful,
how will you convince the auditors or regulators that you weren’t successful
purely through luck and that you will continue to do things right? Well, you’ll
have to conduct a review for them (or give them access to conduct their own
review) that lets them discover all your critical processes and determine that
they are properly controlled. This will be expensive, especially if you delegate
it to an external party – and you’ll have to do it all over again if the business,
the technology or even the interested party changes. This is not an efficient use
of resources and you can hardly claim to have implemented good governance
if it is based on such an ad-hoc set of processes. Especially if you also consider
the fact that time and resource pressures applied to a process that, essentially,
repeats the same redundant evaluations repeatedly, will result in omissions and
superficial assessments.
An organization that wants to implement good IT governance must have a

supportive culture behind this. This means a culture that institutionalizes good

3 O R G A N I Z AT I O N A L I M PA C T
practice processes in pursuit of clearly defined organizational goals, and encour-

ages buy-in to these goals at all levels.
However, you can imagine a company that employs the best (or most expen-
sive) people taking the view that “what kept programmers from reaching their
full potentials were managers who tried to impose standards, expectations or
restrictions” (quoting from Larry Constantine’s description of the state of affairs
at the fictional Nanomush, in ‘Constantine on Peopleware’ [Constantine, 1995]).
Such companies are fairly common in the software industry and they usually
enforce any regulatory rules with draconian disciplinary procedures, once they
have been bought to their attention. So, if you’re caught using someone else’s
intellectual property in your IT systems, unlicensed, or you find fraudsters using
a back door into your systems put there so that programmers could fix bugs
faster, do you simply sack the person responsible for that bit of the system (if
they are still working for you) and hope that the issue goes away? Of course, it
doesn’t – the lawyers carry on seeking damages or whatever; you’ve lost the
free spirits who built your code without wasting time on documenting what they
did and the rest of your staff think you’re victimizing the unfortunate sacked
programmers, who were only doing what their culture expected anyway.
In this situation, you then start worrying about what other surprises await you,
because if leaving programmers free to do their own thing has given you one
problem, you have no means of assuring yourself that others haven’t taken similar
risks. Typically, after one bad experience, you start mandating compliance with
some source of ‘best practice’, telling your programmers ‘to get it right or else’
which, since you are trying to change their culture, probably won’t go down
very well (you may lose the best of them and keep the ‘dead wood’ that can’t
easily get a job elsewhere). You’ll find that you can’t just mandate compliance
with anything outside of a military organization – and, in fact, military manage-
ment practices are usually fairly enlightened because even under military discipline
the people at the sharp end can work around your mandates (and also because,
possibly, battlefield soldiers have the ultimate sanction available against bad
managers).
Unless you are the sort of company that sets goals before taking action, that
measures the impact of its actions relative to those goals and then changes what
it is doing to reduce the gap between its aspirations and what it actually achieves,
then attempts to achieve good IT governance are probably doomed to failure.
This culture of measurement and continuous process improvement is largely
what is meant by ‘organizational maturity’ – although in our ageist society, compa-
nies often prefer to aspire to being ‘adaptive’ rather than ‘mature’.

Organizational maturity
As Constantine points out [op. cit.], “Maturity is a central issue for the field of
software development. Methodologists are wondering how long it will take for
software engineering to mature as a discipline, managers are concerned about
the level of ‘process maturity’ in the approaches to development used within
their organizations, and project leaders wonder about the maturity of the individ-
uals whom they are called upon to lead”. But it’s a concern in many more fields
than just software development. Firefighting system failures may be fun and,
in some organizations, you may be rewarded for the loyalty and dedication
firefighting at 03:00 am demonstrates – even if you’re responsible for the problem
you’re fighting (you probably delivered really fast and got rewarded for that
too). However, most business users would prefer you to take a more mature
approach and not put the problem there in the first place (or, at least, observe
its appearance and preemptively nip it in the bud).
This concern for ‘maturity’ is really driven by a desire for a quiet life, without
surprises and embarrassments. Allegedly, the Software Engineering Institute
at Carnegie Mellon started looking at capability and maturity in IT software devel-
opment because someone at a party to celebrate the first moon landing noticed
that we could put a man on the moon but couldn’t build software that worked
reliably. It started to develop a Capability Maturity Model for Software that an
organization could use as a target to assess the maturity of its software delivery
processes against. It then found that there was a need for other process maturity
models and, to avoid the management issues of multiple assessments, came up
with the Capability Maturity Model Integration (or Integrated, in older refer-
ences) – CMMI.
CMMI is proving popular, both as a way of an organization internally bench-

marking its own ability to deliver and, perhaps unfortunately, as a marketing
tool for organizations striving to distinguish themselves in a competitive
marketplace. However, you don’t have to have CMMI in order to be a mature
organization, it’s just a good framework to work within (and you do really need
an external benchmark to manage your progress against). ‘Passing’ a CMMI
appraisal (actually, there’s no ‘pass’ in the certification sense, you just get
appraised) doesn’t guarantee good governance – it may simply show that your
lack of governance is deliberate and that your management should be aware
of this (which is, actually, a good start). However, mostly, what you measure
(even process) you try to do well.

CMMI
We must stress that we are not really discussing formal CMMI process
improvement initiatives here – they’re a whole different topic and deserve a report
in themselves. However, we are using CMMI as a framework within which to
talk about the maturity necessary for good IT governance. It is a convenient way
to categorize the levels of maturity in an IT organization, but we must apolo-
gize to serious CMMI practitioners for taking a rather superficial view of the
subject. You should also remember that although CMMI deals with more than
just software development, it doesn’t cover every aspect of an organization, even
if its levels could provide a convenient shorthand for describing maturity in areas
where CMMI proper doesn’t apply. For those seeking more information, refer
to the CMMI, web address in Resources Appendix.
CMMI is commonly seen as a five-stage process, with organizations progressing

through the stages in turn, although there is also a continuous representation,
which allows an organization to be at a different capability level in different process
areas at the same time. The staged representation is easier to follow as a basis
for discussion of maturity. The stages are:
5 The institutionalization of continuous process improvement through

proactive process measurement.
4 The use of quantitative process metrics, at the organizational level, to

manage and improve the process.
3 The availability of managed process at an organizational level.
2 The availability of managed process, at a project level.
1 The adhoc application of process.
Level 1 doesn’t mean that you have no process or that projects always fail or
that nothing good happens – a common misconception. However, at Level 1
any successes can’t be guaranteed – they may depend on particular people or
circumstances and a way of working in one project that delivers success may
be abandoned or, at least, not used somewhere else, simply because manage-
ment doesn’t recognize what it has. It is hard to see how you can claim any great
degree of IT Governance at the equivalent of CMMI Level 1.
Going from Level 1 to Level 2 can be quite onerous, because it involves recog-
nizing and documenting what you have – and that often brings you up against
the usual people issues as your IT ‘mavens’ may feel that documenting what they
do and sharing it with others diminishes their value in the organization. At Level
2, you are starting to have a degree of IT Governance – and, remember, that we
are only using the CMMI Levels as a framework for describing maturity levels.

You may effectively be at something corresponding to CMMI Level 2 as far as

IT Governance is concerned, even if you aren’t formally implementing a CMMI
initiative and haven’t undergone CMMI assessment (just don’t claim to be at
CMMI Level 2 unless you do undergo proper assessment).
CMMI Level 3 is probably as far as you absolutely need to go for IT Governance

– which is not to say that going further doesn’t bring advantages and even better
governance. However, at Level 3, you not only know what you have and know
what you are doing with it, you are managing your IT resource at an organi-
zational level and making basic measurements of the effectiveness of your
management, which you can use to improve it.
At what corresponds to Capability/Maturity Level 3, which includes Level 2, you

should have, at least:
• Asset management in place, including management of information,

infrastructure and application assets.
• An organization-wide security policy, based on risk management and

effective identity management.
• Implemented a business continuity policy; complemented with service

level management; incident, service impact and problem management;
and effective capacity planning and provisioning.
• Effective configuration management in place.
• Information lifecycle management in place, ensuring that electronic

business records are kept safely for as long as necessary and then
disposed of reliably and securely.
• Managed processes for application lifecycle and operational

management.
Process-driven development and operations are fundamental to what we think

of as IT governance and will be treated in more detail in the next chapter. A
typical but vendor-independent development process is the Dynamic Systems
Development Method [DSDM, web] and a widely accepted infrastructure/opera-
tions management process is documented in the IT infrastructure Library
sponsored by the UK Government [ITIL®, web].
Higher levels of maturity will fundamentally alter the nature of an organization

– the comparison is with the way that ‘lean’ engineering revolutionized the
Japanese car industry and enabled it to compete with and displace the tradi-
tional US motor industry in world markets. However, higher levels of maturity
may not suit some organizations or, in particular, emerging industries and

technologies, where things may be changing too fast for a stable process to be
feasible (if you are implementing CMMI properly, we suspect that there is room
for argument here). Whatever, it is probably true that you can’t properly appre-
ciate the benefits, and the consequences or implications, of higher maturity levels
until you are at Level 2 or 3.
At the equivalent of Level 4, you become a metrics-focused organization,

managing quantitatively through metrics. You don’t just measure a few key things,
you measure everything, on the grounds that you can’t manage what you can’t
measure. There is an overhead associated with this measurement activity, so
automation is vital (and you really need to build the necessary instrumentation
into the design of your systems rather than try to bolt it on afterwards). With
the benefit of the metrics you collect, you can focus on areas for improvement
and confirm that your improvements are, in fact, working.
At the equivalent of Level 5, you are into continuous process improvement and
the occult powers of warrior-monks in Chinese martial arts movies start to seem
normal. Your metrics become predictive and you start to improve processes in
anticipation of emerging problems. At this level, IT Governance is so innate that
you probably don’t even need to think about it – but there aren’t many true Level
5 organizations in the world and many that have been assessed at CMMI Level
5 have only done so with a limited scope.
The point of this section is not to say that you must gain CMMI Assessment at
Level 3 in order to implement good IT governance but that you must have a certain
level of maturity across the whole organization in order to implement IT gover-
nance effectively. And CMMI Level 3 gives you some idea of the minimum maturity
level you will need in practice. If you implement IT governance at lower maturity
levels you will be lucky if it achieves what you hope it will. You will likely end
up with ‘islands of good governance’ and may find that embarrassing areas aren’t
covered. You will be unable to reliably measure either the effectiveness or the
overheads of your governance initiatives, and you will be unable to manage the
overall alignment of your IT Governance efforts with the requirements of corpo-
rate governance as a whole.

Roles and responsibilities

One of the key issues in IT governance is the assignment of roles and respon-
sibilities. The IT optimization company, Mercury Interactive, an industry leader
in application delivery, application management and IT governance once
commissioned a survey (back when it was still called application delivery ‘testing’)
which showed that the management in many companies assumed that IT tested
its customized package solutions; whilst the IT Group assumed that the
management wanted rapid delivery of its new business functionality and had
verified its purchase during selection. The vendor, of course, claimed that its
package worked perfectly, until it was customized by its customer’s IT Group.
The net result, which is all too believable to anyone who has worked in a big
corporation, is that much of the business functionality in the customization was
never properly tested – an obvious failure in IT governance.
Assignment and recognition of the roles and responsibilities affecting IT gover-

nance is definitely a cultural issue and will depend on tradition and company
size as well as on the company culture and attitude to technology (a high tech
company employing highly trained engineers might give users greater respon-
sibility than a company operating a call centre could) but it is always essential
that responsibilities are assigned clearly and accepted. At the highest level, this
can be done during staff induction and in job statements, backed up by training.
Generally, the IT Group will be responsible for systems development and

technology implementation. It will probably be responsible for implementing
IT governance, because it is usually a very bad idea to bolt governance onto a
system – at the very least, performance problems are likely; but there is also a
significant risk that the governance solution will break the logic of the system
and an expensive rewrite of much of it will be necessary. Although not exactly
typical, the problems Microsoft is having as it tries to implement security in its
operating system (starting with stopping all productive development for a reason-
ably long period and continuing with ‘critical’ service packs that break existing,
but insecure, working, applications) give some idea of the issues with this
approach. However, the IT group is not best placed to design and enforce gover-
nance for three main reasons:
1. IT people are technology focused, and many governance issues are

at least partly to do with people.
2. IT people are innovation-oriented, and frequently ‘tried and tested’ is

best for good governance.
3. IT people are rewarded for delivery, which may conflict with the need
to get governance right.

The IT Group can well supply some of the requirements for IT governance, in
the areas of business continuity and configuration management, for example,
but there is a risk that its view of Governance will only reflect the technical issues.
Being able to restore a working and up-to-date version of a database in the event
of a contingency is very much a part of IT governance – but it is not sufficient,
as if the people using the database can’t log into it, or don’t have desks to sit at
or phones on which to call their customers, then the success of the IT gover-
nance of the database won’t matter much in the context of overall business
continuity.
On the other hand, even though business users are ultimately the stakeholders
and paymasters for IT governance, they don’t have the technical expertise needed
to specify IT governance at the technical level. The business users may well be
the source of the specifications for IT governance embodied in or implied by
the legislatory or regulatory environment, but, again, they are likely to specify
only part of the solution.
It is quite common to think that a conventional Audit Group will look after Gover-
nance but, in reality, it is almost the worst choice of all for this function. Auditors
often specialize (although this is changing) in after-the-fact criticism (which is
too late, impacts on delivery and is expensive to address), don’t generally have
the up-to-date technical knowledge to control technologists and don’t have the
culture to become part of the development team. We once remember noticing
that the information archiving in a bank was rather out of control – everything
was copied to tape, often several times after a series of changes and, while every-
thing was in an archive, these were growing uncontrollably and it was doubtful
whether the bank could answer ad-hoc enquires from archives with any confi-
dence. So we asked the auditors what the archive requirements were – and they
wouldn’t budge from saying ‘archive everything forever’, which was hardly very
helpful. However, the auditors may well be the ultimate backstop, the people who
confirm that you have, in fact, addressed the letter of the laws and regulations.
Nevertheless, it’s really too expensive to find out that you haven’t at this stage.
One solution to IT governance is setting up an Internal Control Group,

reporting to the Board separately, probably through a Governance Committee.
The responsibility of such a group is to take a holistic view of governance,
reporting at a business service level. However, it is also responsible for
assisting or mentoring developers and IT operations staff and should be both
technically and socially able to relate to the IT Group in an early stage of its
projects. The Internal Control Group is responsible for championing the
governance point of view in IT, but it must be seen as a service function – a source
of help and comfort, and assurance that a technically successful project won’t

be criticized after implementation over governance issues the IT Group was hardly
aware of. This is largely a social matter, but an Internal Control Group can hardly
be expected to be respected, or even accepted, by the technologists in the IT
Group unless its members have experience and technical knowledge that the
IT Group respects – and unless the Internal Control Group acts as mentors instead
of policemen or technology superstars.
Practical experience of governance

At a roundtable entitled ‘IT Governance: The Role of measurement and metrics’,
held in London November 2004 by Managed Objects (the inventors of Business
Service Management [ManObj, web]), Ron Whitehand (SVP, Computer Sciences
Corp EMEA) described, in CSC, a governance-focused organization.
Whitehand points out that as a service provider to many large, and not so large,
companies across the globe, CSC has to make sure that its relationship to its
clients is good, in order to deliver the service its customers expect. IT gover-
nance is often confused with external control, he says, but it’s an internal thing,
and has to be directed at managing the value delivered as well as the much more
straightforward problem of controlling costs.
”We spend a lot of time, not talking about governance per se but just doing gover-
nance”, he says. “It’s not a big item on our agenda, we just have to get on with
it because any services company has to worry about relationships and value
delivered to the client, and the more we can demonstrate that this is a value and
the more we can get the client to find it with us, the more we can help him – it’s
a mutual benefit.”
”There’s a whole range of layers around how we do this”, Whitehand continues,

“ranging from the old-fashioned SLA (Service Level Agreement), where we
measure the uptime of every component in a service through to the total avail-
ability of a business process. It depends on the maturity of the client, how they’re
managed, how far we can take them on the journey towards IT governance –
or towards business governance, which is what really matters”.
Metrics, Whitehand says, are very important, but they’re not the be all and end
all. You need to understand the value of the metrics. CSC is adopting a ‘balanced
scorecard’ approach (which balances hard financial bottom-line metrics against
softer metrics relating to intangible assets such as morale and customer satis-
faction [BalScore, web]. Other participants at the roundtable, Thomas Mendel

(principle analyst, Forrester Research) and Dr Jim White (Business Technolo-

gist, Managed Objects) confirmed that there were signs of a resurgence of interest
in balanced scorecard since their first popularity almost a decade ago [Kaplan
and Norton, 1992] [Kaplan and Norton, 1996]. This may be due to the availability
of better automated metrics, so the choice of metric is driven by business need,
not the accessibility of the metric. According to Whitehand, balanced score-
card helps you easily identify management disconnects and gaps in your metrics,
but you need to introduce it gradually, you can’t simply take three years off to
deliver a ‘big bang’ balanced scorecard solution.
The developers of balanced scorecard, Dr Robert Kaplan and Dr David Norton

working at the Harvard Business School, said some 15 years ago: “The
balanced scorecard retains traditional financial measures. But financial measures
tell the story of past events, an adequate story for industrial age companies for
which investments in long-term capabilities and customer relationships were
not critical for success. These financial measures are inadequate, however, for
guiding and evaluating the journey that information age companies must make
to create future value through investment in customers, suppliers, employees,
processes, technology, and innovation”.
What this implies, of course, is that IT Governance based entirely on cost control,
while comparatively easy to formulate and implement, will not deliver gover-
nance of all those aspects of an organization that are required for success today.
And as an aside, in CSC’s world of outsourcing, the contract services are based
in SLAs (‘we will do something for you on this day, or our networks will be up,
or someone will answer the phone in a given timeframe and resolve your problem
on the phone in a given timeframe too’), so performance against SLA may be
an important metric for governance.
Of course, the IT Department should be relating to outside customers anyway,

but one speaker didn’t think that they usually do; although those that do see it
as part of the business are probably the most productive and forward-looking
companies. Nevertheless, there are potential issues with making the IT Group
part of the business. “In a previous life,” Whitehand says, “I actually ran internal
IT services for a company and I did engender a kind of governance board to
understand what my clients wanted inside the company. But it turned into the
very thing you’re talking about, Tom [Thomas Mendel], which is ‘we’re going
to control you”.
Although Whitehand believes in understanding quite as much as you can about

what the client wants and what the business wants, because the customer is

the final arbiter of where you’re going, he doesn’t think that business managers
should try to control technologists directly. So he cancelled that governance
meeting, “because it was of non-value to the company – it just turned into ‘lets
stop them spending money and doing stuff’ [although] it was probably a bit
highhanded of me at the time”.
Business managers do not generally know enough about technology (at the
cutting edge, especially) to effectively manage technologists who may know more
about technology and its implications than they do. Similarly, we have seen a
business-focused IT group that thought that it knew more about the business
process than the business itself. It probably did, at the start, but it couldn’t maintain
this knowledge of the business cutting-edge without actually being involved in
the business day-to-day (perhaps this is less true in a user-focused development
environment such as eXtreme Programming).
Finally, Mendel made an illuminating remark to the table generally: “If you ask
IT directors and CIOs about governance you may be asking the wrong people,”
he said, “because from what we can tell all the initiatives around managing the
risk of IT delivery, making your IT processes produce business value, those kind
of things, they’re all not driven by IT, not in the beginning anyway, they’re driven
by the end users, by the Board, so the understanding of what governance means
to IT will come as a second step. We’re in a first phase,” he continues, “where
the business is starting to demand from IT an understanding of what products
we’re producing and how these compare with those from external markets, rather
than just internal service delivery”.
Now, perhaps, is the opportunity for a mature IT department to move ahead of

the curve and start to preemptively deliver the style of IT governance the Board
of the company is coming to expect.
In the next chapter we look at the impact of IT governance on the IT depart-

ment specifically.

THOROGOOD
PROFESSIONAL
INSIGHTS
Chapter 4
The impact on IT
IT service management .......................................................................37
Lifecycle systems development process............................................43
Management reporting: Telling a true story ...................................49
Practical IT governance tools .............................................................51

Chapter 4
The impact on IT
“AberdeenGroup research indicates that industry is wasting

an estimated 15 to 25 percent of its IT investment. Most
organizations have effective investment and cost control
mechanisms in place for facilities directly affecting produc-
tion, but in very few cases are these mechanisms applied to
the organization’s computing resource.”
FROM THE FLYER TO THE ABERDEENGROUP’S STRATEGIC ENTERPRISE IT BUDGET REALITIES
BENCHMARK REPORT, DECEMBER 2004.
IT governance will have an impact on IT – there will be some things that IT staff
want to do that they won’t be able to do after you implement IT governance
and new initiatives that they’ll have to buy into. If implementing IT governance
has no effect on the way you work, one wonders why you’re bothering.
This impact must be managed, as must the fear that IT governance will get in
the way of productivity and increase bureaucracy for its own sake. It may be
worthwhile pointing out that unproductive IT – wasting resources – is itself a
symptom of poor IT governance. You could do this in IT governance workshops,
as part of the introduction of IT Governance. The point to stress is that IT gover-
nance is intended to produce a positive business benefit – although you may
have to invest up front in order to achieve a longer term benefit. It is best to
catalyze the implementation of IT governance with an obvious short-term benefit,
such as the prospect of regulatory fines (or worse) if you don’t get your house
in order.
You don’t have to do it all at once – if you take a process-driven approach to IT

Governance. You can put in place processes to address immediate problems (a
long as you think a bit about the ‘big picture’ context), measure the consequences
of this and use these metrics to justify further investment or, perhaps, to change
the process you’re adopting.
Promoting IT Governance should be made part of an employee’s conditions of

employment and the promotion of good governance recognized in pay awards
and staff appraisals. A necessary (but not sufficient) requirement for good IT

4 T H E I M PA C T O N I T
governance is the availability of a proper security policy and adherence to this,

and promotion of good governance generally, should be mentioned in standard
employment contracts and, more importantly, made part of staff induction
training.
So, to summarize, the most important effect on the IT Group is that it will have
to become a process-oriented organization with a measurement culture. The
idea is that it will be able to say what it is going to do about IT issues (including
things like compliance, reliable business service delivery and other governance
issues), evaluate its success in doing it and change what it does next in order
to reduce the gap between aspiration and achievement. This is the essence of
good governance.
IT service management
Business service management
The first part of our working definition of IT governance (see Definition of IT

governance in the Management overview) is that it’s ‘that part of corporate gover-
nance in general which ensures that automated systems contribute effectively
to the business goals of an organization’. Now, it probably isn’t the only possible
approach to IT governance, but if you want to implement IT Governance firmly
in the context of corporate governance as a whole, it helps if IT takes a service-
oriented approach (built on a Service Oriented Architecture or SOA). As David
Chappel of Sonic Software says in the introduction of his work on the Enter-
prise Service Bus [ESB, 2004], “An SOA [Service Oriented Architecture] provides
a business analyst or integration architect with a broad abstract view of appli-
cations and integration components to be dealt with as high-level services”. He
goes on to point out that an Enterprise service bus (ESB) ties together applica-
tions and event-driven services in a loosely coupled way, which means that they
can be treated independently, but still in the context of an overall business function.
It is a fundamental thesis of this report that IT Governance is about IT in the

service of the business, whether it’s about returning an ROI in the form of assis-
tance to moneymaking business processes, or about the avoidance of waste (and
IT without a business purpose is a waste of resources), or about the satisfying
of business regulatory or compliance requirements. From this point of view, the
service-oriented approach to IT simply makes effective, business-oriented gover-
nance easier – although there are other technical reasons why SOA, and perhaps
even ESB, will be important strategic directions for IT.

However, this is a top-level, architectural view of the matter. Nevertheless, a very

similar view is emerging bottom-up, from the (often neglected) IT operations
world, in the form of Business Service Management (BSM), a term which
Managed Objects [ManObj, web] claims to have invented but is now also used
by BMC and HP.
According to HP, its BSM solution (which is based on its well-established HP

OpenView product range) ‘provides CIOs, business process owners, and key
application owners with a view of their business processes from a customer
perspective’ [OpenView, Web]. This should enable them to maintain a clear under-
standing of the high-level health of their computer infrastructure and the
applications on which the business processes depend – certainly an aspect of
IT governance.
According to BMC Software [BSM, Web], “Business Service Management (BSM)

provides an incremental approach to understanding and meeting your specific
business needs. With BSM, you can identify the best technology solution to
support your business and make the most of your current investments. You can
deliver faster, more comprehensive and consistent services, increase revenue
opportunities, lower the cost of ownership and reduce the risk of unnecessary
IT expenditures”. BSM obviously addresses the first part of our definition of IT
Governance, to do with serving the business effectively, and goes on to deal
with the middle part, the management and mitigation of IT risk.
An important practical part of the BMC BSM picture is the Atrium Configura-
tion Management Database (CMDB – an ITIL® term, see below – [Atrium, Web]),
which provides information sharing and centralized management across both
BMC and third party solutions. BMC claims that Atrium provides ‘a single source
of truth for your IT environment’, an important basis for effective, manageable
IT Governance (even if you don’t choose to obtain it with Atrium, it is an issue
you will have to address).
BMC identifies the following entry points to BSM:
• Service level management
• Incident and problem management
• Infrastructure and application management
• Service impact and event management
• Asset management and discovery
• Change and configuration management
• Capacity management and provisioning
• Identity management.

If you go back and compare these with the list of desirable processes in the
previous section (under CMMI) you see a considerable overlap. You can come
at IT governance top-down, from a process-oriented and process-improvement
angle; or you can come at it bottom up, from best practice infrastructure proce-
dures such as ITIL® (see below). Business Service Management can provide a
good framework for presenting an integrated IT governance policy to both IT
operations staff and even operational staff in the business; whereas the
process-oriented view can appeal to upper management and regulators. In reality,
both views are complementary.
ITIL®
Vendors usually promote Business Service Management but there should be a
standards-based approach underlying it. This is usually ITIL®, the IT Infra-
structure Library [ITIL®, Web], which was developed by the UK CCTA (Central
Computer and Telecommunications Agency) in the late 1980’s and is now owned
by the UK Office of Government Commerce (the OGC – ITIL® is both a Regis-
tered and Community trade mark of the OGC) and adopted worldwide.
The ITIL® documentation has been revised during 2000 to ensure that it is consis-
tent with, and forms part of a logical structure with, the BSI Management
Overview (PD0005) from the British Standards Institute (BSI), BS15000-1
(Specification for service management) and BS15000-2 (Code of practice for
service management). The British Standards Institution’s Standard for IT
Service Management (BS15000) supports ITIL® and, unlike ITIL® itself, is a
standard that you can certify against.
ITIL® is a library of books describing ‘best practice’ taken from both the public
and private sectors internationally, together with a qualifications scheme, accred-
ited training, and tools to assist with implementation and assessment. It
certainly isn’t limited to UK practice or to public services organizations, despite
its ‘ownership’ by an office of the UK government it is, in fact, a general frame-
work for IT governance, suitable for small, medium or large organizations, which
must be customized to the needs of any particular organization. A whole philos-
ophy of infrastructure management has grown up around ITIL® and the
environment needed to support it.
A comprehensive ITIL® FAQ is available on the Web [ITIL® FAQ, Web] but organ-
izations planning to implement IT Service Management might also want to read
‘Planning to Implement Service Management’, which explains the steps involved
in implementing or improving IT service provision [PlanISM, 2002]. There is also

an independent not-for-profit ‘user group’ (including vendors) called the IT Service

Management Forum or itSMF [itSMF, web], which claims to be a major influ-
ence on, and contributor to, industry ‘best practice’ and Standards worldwide,
working in partnership with a wide range of governmental and standards bodies.
To use ITIL® you really need to buy the library; we can’t cover it all here. However,
we will provide an overview of its structure and scope, although this is not a
definative guide to ITIL®, which is well-documented by the OGC.
ITIL® divides Service Management into Service Support and Service Delivery.
Service support consists of six functional areas:
1. Configuration Management;
2. Change Management;
3. Release Management;
4. Incident Management;
5. Problem Management; and
6. Service Desk
Service Delivery is comprised of another five functional areas:
1. Service Level Management;
2. Capacity Management;
3. Cost Management for IT Services;
4. Availability Management; and
5. IT Service Continuity Management.
SERVICE SUPPORT: CONFIGURATION MANAGEMENT
This provides a foundation for other processes such as Incident, Problem, Change
and Release Management. It maintains a logical model of the IT infrastructure,
stored in a CMDB (Configuration Management Database) and built from ‘config-
uration items’ (CIs). It identifies, controls, manages and verifies the version of
each configuration item. Configuration management involves planning (in detail
for 3-6 months ahead and in outline for 12 months past that); identification of
CIs (ownership, and unique id, for example); control of CIs under change manage-
ment review; status accounting and tracking; verification and audit of CIs.

SERVICE SUPPORT: CHANGE MANAGEMENT.
This controls changes to CIs in the production environment and has to balance
the need for systems improvement (driven by changing business or the
discovery of defects) against the potential risk associated with making changes.
ITIL® appears to limit Change Management to the live environment, relying on
project change processes to manage change within ongoing projects. Change
Management typically deals with raising and documenting a change request,
assessing its impact, cost, benefit and associated risk, obtaining and documenting
change approval, managing the implementation of change, reviewing the change
and closing off the request.
SERVICE SUPPORT: RELEASE MANAGEMENT
This is the holistic management of both the technical and the non-technical aspects
of major or critical changes. It plans and oversees the successful rollout of new
and changed software and associated hardware and documentation across a
distributed environment. Release management includes, but is rather more than,
software control and distribution.
SERVICE SUPPORT: INCIDENT MANAGEMENT
This is about detecting and recording incidents (events impacting service levels),
classifying them, diagnosing the root cause of the incident and resolving it, with
the aim of restoring normal service as soon as possible, with minimum disrup-
tion to the business.
SERVICE SUPPORT: PROBLEM MANAGEMENT
This is similar to incident management, except that problems encompass the

wider issues behind incidents. An important aspect of problem management
is trend analysis and the proactive prevention of problems/incidents. Problem
management is more-or-less the opposite of firefighting. Problem management
should supply the organization with relevant management information reports.
SERVICE SUPPORT: SERVICE DESK
This is the central point of contact with the IT Service Organization for users
experiencing problems. A good Service Desk can have a disproportionate effect
on customer satisfaction. A good target is to close most service requests at first
point of contact with the Service Desk. Service Desk is preferable to the older
term ‘help desk’, as it reflects the wider scope of a service desk facility. The Service
Desk can be expected, these days, to be proactive, suggesting ways in which
problems can be addressed before they appear.

SERVICE DELIVERY: SERVICE LEVEL MANAGEMENT
The aim of this is to document and agree service level agreements (SLAs) between
the providers and consumers of IT services, and improve service levels over time,
as the business changes. It is usually important that SLAs are business-oriented,
as the availability of one component is of no interest if the service it helps support
isn’t available to the business.
SERVICE DELIVERY: CAPACITY MANAGEMENT
The aim of this is to ensure that capacity (disk space, computer power etc)
increases or decreases in line with anticipated business volumes and perform-
ance needs. There should be a capacity plan, which is agreed with management
and assigned a budget, so that it can be implemented to ensure that (in partic-
ular) lack of capacity doesn’t impact the business. There are three main areas
of Capacity Management:
• analyzing future business plans and ensuring that adequate capacity

will be available;
• analyzing the services provided to customers and anticipated future

demand, so that lack of capacity doesn’t impact service levels; and
• analyzing and monitoring the resources used by the IT infrastructure,

so that resources don’t run out.
SERVICE DELIVERY: FINANCIAL MANAGEMENT FOR IT SERVICES
This is a vital part of IT Service Management and is really just the good finan-
cial governance of the IT infrastructure – management and reduction of costs,
calculation of cost of ownership and return on investment, effective utilization
of resources, management of internal and external contracts – and, of course
provision of financial reporting information to management. You would expect
an IT organization to be able to account for the money it spends and to allocate
this spend to the provision of defined services. Most organizations will also want
to recover these costs from the users of these services, and possibly to influ-
ence customer behaviour, by means of some form of chargeback.
SERVICE DELIVERY: AVAILABILITY MANAGEMENT
This concerns itself with ensuring that IT resources are available as and when
needed by the business to satisfy its objectives. It is usually a balance of cost
and demand, tempered by business criticality – redundancy, for example, helps
to ensure availability but increases the cost of the infrastructure, with redun-
dant components lying idle (unless you exploit some form of grid or on-demand

computing model), so is only used for critical components. Availability Manage-

ment will monitor service availability against the appropriate service level
agreements, and adjust targets and agreements as appropriate.
SERVICE DELIVERY: IT SERVICE CONTINUITY MANAGEMENT
This supports Business Continuity Management, it doesn’t replace it (there is

no point in ensuring IT service continuity if the business can’t make use of the
service because something else can’t be recovered. This is typically about having
tested recovery plans for IT components in the event of a disaster or major failure
impacting the business (it is also known as contingency planning or disaster
recovery), but the need for management of the recovery process, and the people
issues involved (including customer and public confidence) can’t be over-empha-
sized. The recovery plans must be regularly reviewed, to make sure that they
remain in alignment with the needs of the business (and that the processes being
recovered are still current) and are worthless unless and until they are tested –
which should be repeated regularly.
ITIL® is not a fixed standard but is evolving in response to feedback from its
stakeholders. It was last updated in 1997, and the process of implementing a
new update started at the end of 2004; the project reported in April 2005. This
next version of ITIL® will preserve the key concepts of Service Support and Service
Delivery. However, the consistency of its underlying structure and navigation
will be improved and ITIL® will also be extended to increase its coverage of service
management and of the cultural and organisational aspects of managing ITIL®
best practice in a modern multi-sourced environment. It will also take on a ‘knowl-
edge management’ aspect, with case studies, subject matter expert white papers,
implementation packages, business cases etc, complementing the core content;
and additional material to support the ‘value proposition’ associated with ITIL®.
This may involve the addition of new books and topics to the ITIL® library and
the removal of some books and topics; and may well change the qualification
scheme. However, it will be an evolution of ITIL®, not a complete rewrite - the
core volumes should be republished during 2007.
Lifecycle systems development process

The process that most affects the IT group is the lifecycle development process
– ‘lifecycle’ meaning that you apply as much or more weight to the business opera-
tion and continuing maintenance of IT systems as to the initial development.

After all, most systems spend far longer, and consume more resources while
‘in maintenance’ than they do during development.
The implication of this is that it is generally wrong to think in terms of IT projects

if you want to develop automated systems that contribute effectively to the
business goals of an organization. An engineering project, such as a bridge, is
complete in itself. It starts, it has resources more or less exclusively assigned to
it and it finishes – when you can evaluate its success or failure. Maintenance
has minimal effect on the function of the bridge. In contrast, a software
engineering ‘project’ is actually part of a programme – Geoff Reiss writes about
Programme Management Demystified [Reiss, 1996] in the follow-up to his book
Project Management Demystified [Reiss 1995]. Programme management is,
according to Reiss, “the co-ordinated management of a portfolio of projects which
call upon the same resources”. The IT group is usually working on several projects
at once and most of its effort is often devoted to the integration of these projects
with each other and with the operational systems already installed. The members
of a software engineering team ostensibly devoted to a single ‘project’ will be
involved in the maintenance of previous projects they have completed, and may
be adding considerable new business functionality during maintenance, and may
be called upon to provide particular expertise to other development projects.
Two of the characteristics of programme planning that Reiss identifies are relevant
to the issue of IT Governance:
1. The team must ensure that the project’s aim helps the organization
forward.
2. Concentration on the corporate objectives.
What this means in practical terms is that the development and maintenance
of automated systems must be firmly based on the analysis and prioritization
of business requirements (including regulatory requirements). It must be possible
to trace through from business requirement to code and vice versa. Code should
contribute to an identifiable business objective (even if indirectly, as some code
is there for technical reasons) and if it doesn’t it shouldn’t be there; defects and
failures should be categorized/reported in terms of the business services they
impact.
So, the IT Group can expect to be involved in Business Process Management

(BPM) using languages such as BPEL (Business Process Execution Language)
and Requirements Management. It will be generating at least the framework
of an automated system from Analysis and Design models, derived from Require-
ments models – in fact, it may well adopt Model Driven Development as a
discipline. Iterative development with constant reference back to the end-users

of the system will be the norm (even eXtreme Programming) and, of course,
testing will be key to building the final system.
Developers will be as familiar with modeling languages such as UML2 as with

coding languages, because abstraction via models lets you more easily under-
stand and validate complex automated systems. And, of necessity, management
will give developers realistic schedules, which mean that they have the time to
ensure that their automated systems really do align with the business goals of
the organization.
There are many standard development processes, so writing your own from
scratch (which is how many of the currently available ones started) is no longer
particularly useful. Most of them are supported by vendors; IBM/Rational RUP
(Rational Unified Process) is a notable, and respected, example. The issue with
a vendor-supported process is that it may focus on areas where the vendor has
tools to sell; and it may not abstract its physical implementation from its logical
model sufficiently. Ideally, a process should be implemented as a meta-process,
used to instantiate a specific process for a particular activity (although the avail-
ability of ‘pattern’ instantiations for typical business situations would make sense).
Nevertheless, many organizations get on well with commercial development

processes – there are potential issues but as long as you’re aware of them, then
they can provide a good basis for governance of the development process.
However, we’ll look at a couple of vendor independent development processes,
in order to illustrate the IT governance issues.
DSDM
The Dynamic Systems Development Method [DSDM, web] is an accepted method-
ology for Rapid Application Development (RAD), originally developed by a
consortium sponsored by IBM. DSDM is designed to be flexible – Agile – and
relies on iterative development, using prototypes, within a non-prescriptive frame-
work. It really consists of a non-prescriptive collection of ‘best practices’.
The framework within which iteration fits talks about five lifecycle phases:
1. Feasibility Study: this evaluates a proposed development for business

justification and decides whether using DSDM is appropriate. It
produces a Feasibility Report, which may include an initial solution
prototype.
2. Business Study: this phase reviews the business process the IT

system should support, develops an outline prototyping plan and

identifies external stakeholders (such as user sponsors and workshop

representatives).
3. Functional Model Iteration: this phase uses prototypes to model the

required system, identify non-functional requirements (such as
performance and regulatory issues) and produces a functional model
and the implementation strategy and cost benefit analysis.
4. System Design and Build Iteration: this phase refines the functional
prototype using feedback from the business to drive the production
of new prototypes. After sufficient iterations, this phase delivers a
working system, which addresses all the agreed stakeholder
requirements.
5. Implementation: this phase moves the tested system into the user’s
production environment and will include any user training required.
An important feature of DSDM is ‘time boxing’. This recognizes that scheduled

delivery dates are important to the business, so if the project is slipping it maintains
the agreed delivery dates by negotiating a reduction in functionality for the
relevant prototype, instead of (say) reducing quality. In DSDM, dates do not slip
but functionality might.
The essence of DSDM [PCSupportAdv, web] lies in its nine principles:
1. Active user involvement is imperative. DSDM takes a user-centred

approach, ensuring that users are closely involved throughout the
development life cycle as active participants in the overall process.
2. DSDM teams must be empowered to make decisions. The DSDM teams

combine developers and users, who have the power to decide upon
functionality, etc.
3. The focus is on frequent delivery of products. DSDM is more

concerned with the products of a project than the activities per se. Each
product is produced within an agreed period of time or timebox
(generally a short time period, as for earlier RAD approaches), with
the team responsible able to choose its own approach to delivering
that product.
4. Fitness for business purpose is the essential criterion for acceptance

of deliverables. DSDM is aimed at delivering necessary business
functionality when it is needed, with an acceptance that there may be
a need for subsequent refinement. This contrasts to more traditional
approaches, which can degenerate into slavish delivery of requirements,

even after it has become recognized that the requirement has been
overtaken by events or was simply plain wrong.
5. Iterative and incremental development is necessary to converge on

an accurate business solution. The DSDM approach favours incremental
development, with a significant level of feedback from users. This helps
the rapid satisfaction of business need and builds in iteration, in contrast
to the view that re-work is managed under an exception procedure,
which can be common in other development approaches. This is all
believed to facilitate achieving rapid and continuing benefits in
DSDM.
6. Requirements are initially base-lined at a high level. DSDM agrees the

high-level requirements at the start of the project, fixing an agreed scope
and purpose of the system overall. This provides a framework within
which detailed investigation of the requirements can be conducted.
7. All changes during development are reversible. DSDM supports the

idea of ‘backtracking’ to earlier states once iterations of the software
stop satisfying the needs of the system’s stakeholders. Obviously, this
requires work to be performed within a development environment that
supports the return to earlier products.
8. Testing is integrated throughout the lifecycle. Testing of DSDM

products is performed on a continuing basis as an integral part of the
overall work. Testing involves both the developers and users, and is
concerned with both the verification and validation aspects of the
product.
9. A collaborative and co-operative approach between all stakeholders

is imperative. The developers, users and other stakeholders in a DSDM
project work together to clarify the business need and ensure that
development satisfies that need. This contrasts to the ‘contractual’
approach of traditional development processes, where users are
expected to have all their requirements fully elaborated prior to
implementation and the developers provide a clear specification of what
will be delivered. DSDM is more realistic in its approach, reflecting
the hard won IT experience that requirements evolve, due to developing
understanding and a changing external environment.
DSDM is particularly useful to IT governance because it increases user involve-

ment in IT projects and preserves external delivery dates; both of which help
reassure external stakeholders in IT, in the business, that IT is under control.

eXtreme programming
IT developers, in particular, are often frightened of process (and, indeed, gover-
nance) because of a fear that it will restrict their creativity and put a pile of
paperwork in the way of their productivity. In fact, this fear is usually unfounded
– building on an accepted process frees developers to be more creative, to do
more – and much of the required documentation can be machine-generated (a
computer-maintained UML model of a system is better documentation than a
folder-full of paper).
Nevertheless, an Agile development process has grown up in the light of these

fears – valuing people over process and output of working systems or proto-
types over abstract documentation – Thoughtworks [Thoughtworks, web] is a
good example of a consultancy espousing Agile principles, not only in dealing
with customers but also internally.
An extreme example of Agile development is eXtreme Programming (XP). It isn’t

really defined anywhere (one of its principles is that if XP is broken, you are allowed
to fix it – i.e., you can customize your own version of XP) but it is generally accepted
that Kent Beck’s book, eXtreme Programming Explained [Beck, 1999], is a good
starting point. An XP ‘process’ will consist of a set of good practices, for example:
• Start by collecting short ‘user stories’ from your users, consisting of

a description of some feature of the new system and an acceptance
test. Build a release plan, delivering useful business function, by
grouping user stories together.
• Deliver project iterations taking about 1-3 weeks, selecting the

deliverables for an iteration from a prioritized list of user stories and
failed acceptance tests.
• Program in pairs, two programmers working on the same code on a

single terminal. You’d think this would reduce productivity but, in fact,
it increases it because it reduces rework (neither partner can tolerate
unclear code from the other and they spot each other’s omissions).
• Keep things as simple as possible for as long as possible, by never

adding functionality before it is asked for in a user story.
• Refine the design to remove redundancy, eliminate the unnecessary

and rejuvenate tired designs whenever and wherever possible. This
is called ‘re-factoring’ and is an area where experience is vital. It’s all
about removing unnecessary features and complexity, not about
optimizing performance and adding new features.

In marked contrast with the expectations of people who don’t know XP, it can
be very compatible with good IT governance, and even process improvement
approaches such as CMMI. The user involvement ensures that the IT project is
aligned with the business; the emphasis on tests for each and every ‘require-
ment’, and constant repetition of the tests as the build changes, promotes quality;
incremental delivery ensures that projects don’t run out of control. However,
XP requires an extremely disciplined development team – at least as disciplined
as for normal development, possibly more so – and some people adopt ‘XP-But’
(as in ‘we do XP but we don’t bother with all that awful testing...’) which won’t
deliver the same results.
According to Kent Beck (op. cit.):
“XP is my baby, XP reflects my fears I am afraid of doing work that doesn’t

matter; having projects cancelled because I didn’t make enough technical
progress; making business decisions badly; having business people make
technical decisions badly for me; …doing work that I’m not proud of.”
If your programmers think like this, then XP delivers good development gover-
nance. If they don’t, well, that is a management issue.
Management reporting: Telling a true story

The last part of our working definition of IT Governance (see Definition of IT
governance in the Management overview) is that it ensures that, ‘automated
information systems (including financial reporting and audit systems) provide
a true picture of the operation of the business’.
Demonstrable audit controls

Everything in IT governance contributes to this but in the end it is a question
of security – not of Confidentiality, but of the often overlooked Integrity and Avail-
ability aspects of security. Many systems provide audit trails, but how many of
them protect the audit trails from systems administrators? If they don’t, the audit
trail may prove to be worthless in court – if it ever comes to that – its Integrity
can be compromised. And, if access to audit data (and legislation such as the
UK Companies Act allows auditors access to any data that they need for their
audit) hasn’t been considered in advance, its Availability may be compromised
– it may take too long to retrieve, the detail may be lost in an aggregation, the
data format or physical medium may be obsolete. Audit data is only really useful

if you know that you can prove it hasn’t been tampered with and that you can
read it – if you had a nine track tape of IMS transactions from 1980, could you
find the hardware to read it on, run a version of IMS that could recreate the
transaction, prove that no-one tampered with it 25 years ago and understand
the application well enough to make sense of the business behind the transac-
tion? Some people think that the only truly reliable audit records are human
-readable document images, written in duplicate (with each duplicate stored in
a different location) using standard document formats on robust media – but
the implementation details of this will depend on the precise requirements.
In fact, without special provisions, computer forensics can usually demonstrate

that computer data hasn’t been tampered with or that it has been (beyond reason-
able doubt) by analyzing the time stamps and similar data attached to changes
by the operating system. However, you’d be unwise to rely on this, if only because
computer forensics experts are expensive, especially if they’re expert on obsolete
computer systems.
It is better to build audit trails into the system design and possibly copy them
securely into a system that only the auditors or internal control group, not the
usual system administrators, have access to. However, in practice, this is not
always easy: not all operating systems have fully granular security permissions,
with no ‘super users’ (in fact, few do). You perhaps need to give systems admin-
istrators the power to change everything except audit data (this may be needed
in order to fix problems) although you might want to provide controls on the
exercise of these powers; but you might also want to give the auditors the power
to see everything, including normally confidential data, but change nothing. When
you try to implement such schemes, you discover that you need a sophisticated,
rules-based security scheme but effective schemes like this aren’t common when
you delve into the details. Taking two examples from the past, Windows NT had
the granularity, but was too hard to manage and seldom implemented properly;
Novell Netware (after v4) had the sophistication and directory-based manage-
ability, but still supported ‘superuser’ (all powerful) IDs (including legacy admin
ID’s from a previous security model); neither implemented roles fully.
Encryption can come to your aid, not for Confidentiality but for non-repudi-
ation. By encrypting a hash total derived from a document and transmitting
the encrypted data alongside the document, you can prove that it hasn’t been
altered (by checking that the received document hashes to the same figure as
the original did); a similar approach can be used for ‘digital signatures’ (remem-
bering that an email, say, is effectively digitally signed anyway, in practice).
However, providing a hash signature for everything an auditor may ask about,
may prove impractical.

When you design financial reporting, it must be based on proper analysis of

both the business and regulatory requirements and fully tested. This extends
to the audit trail of changes to the financial record. Think in terms of demon-
strating the integrity of your financial reporting in court, not in terms of a
computer science exercise (being logically correct is necessary, but may not be
sufficient). This is an area where role-playing games in a training situation can
concentrate peoples’ minds on the issues.
Practical IT governance tools

This report does not aim at being a buyers guide to IT governance software.
Nevertheless, examination of a few representative products may be of value, as
giving an idea of the sort of computer assistance that is available to an IT gover-
nance project. However, there are many more tools out there to choose from.
1. Select Business Solutions Process Director [ProcDir, web]

This addresses the management of Software Development process, one step above
Software Development Process itself and is an aid to process maturity – it appears
to markedly speed up CMMI level 3 assessments, particularly in two areas:
• Organizational Process Focus: To plan and implement organizational

process improvement based upon a thorough understanding of the
current strengths and weaknesses of the process and process assets;
and
• Organizational Process Definition: To establish and maintain a set of

organizational process assets.
Process Director comes with a range of processes ‘in the box’: Select Perspec-
tive; Waterfall, Prince II (a UK Government sponsored project management
process); and ‘Alignments’ to DSDM, Agile/XP and others. You can use these
as a basis for developing a process customized to your own development require-
ments, without the risks associated with reinventing the wheel from scratch –
real IT governance. See a brief review of the product by Andrew Griffiths of
Lamri at [ADA2005-3, web].
2. Compuware Changepoint [Changepoint, web]

Compuware IT Governance by Changepoint, to give it its full title, is a holistic
IT business management tool that enables organizations to implement effective

governance models, providing the organization with a framework for measuring

and managing IT value, cost and risk. It also helps you align IT with the business
by applying a portfolio management discipline to IT projects, applications and
infrastructure. It can automate core business processes and promises to reduce
costs, while increasing the efficiency and quality of all IT work.
It can enable management to improve decision-making and proactive perform-

ance management at all levels, by providing visibility into critical performance
indicators in real-time. It helps management gain control over IT spending
through accurate, comprehensive cost measurement, budgeting and meaningful
charge-backs, and helps to improve client satisfaction by gathering feedback
and collaborating with clients online. It also supports skill tracking; demand and
capacity planning; scheduling and time tracking. It helps to control adminis-
trative overheads and to eliminate redundant, error-prone manual data handling
processes and improve the morale of both management and staff.
Big claims but in our opinion, after talking to Ayman Gabarin, VP of IT Gover-
nance EMEA at Compuware, probably not unfounded.
3. BMC Atrium [Atrium, web]

A key part of the underlying ITIL® model is the Configuration Management
Database (CMDB). Atrium from BMC Software is one of the few specialized imple-
mentations of CMDB.
It is an intelligent data repository that BMC says “provides a working model of

your enterprise IT infrastructure” – a single source of truth for your IT environ-
ment. It promises to underpin the IT governance you need in order to support
your organization’s business goals effectively.
CMDB is, in effect, an integration tool which federates the data from multiple
infrastructure monitoring and discovery tools into a cohesive logical whole –
that can reside on multiple physical platforms throughout an IT organization.
4. Mercury BTO [Mercury, web]

Part of IT governance is assurance of the continuing operational efficiency of
automated systems, especially after a regulatory or compliance initiative has
increased data volumes or increased administrative overheads – Mercury’s
Business Technology Optimization (BTO) promises to be a valuable addition to
your toolkit.

Mercury promises specific assistance with, for example, the key sections of
Sabanes-Oxley: Section 302, which requires CEOs and CFOs to sign statements,
under penalty of perjury, verifying the completeness and accuracy of company
financial statements; Section 404, which requires CEOs, CFOs and outside auditors
to attest to the effectiveness of internal controls for financial reporting; and Section
409, which requires companies to report material financial events immediately,
in real-time, instead of waiting for quarter-end. Mercury’s products include
comprehensive portfolio, program, and project management software and real-
time dashboards that can be configured for CIOs, CFOs and CEOs to provide
early warning of any project missteps, avoiding end-of-quarter surprises. They
also provide end-to-end process control over software changes including
enhancements, customizations, configuration, vendor patches and bug fixes;
logging of all changes across the development, test stage and production
landscapes; control over lifecycle processes and real-time project status.
5. Borland ALM toolset [ALM, web]

Borland sees itself as the last truly non-aligned vendor of a complete set of
software development tools in a world dominated by IBM/Rational (Eclipse, J2EE)
and Microsoft (.NET). Some others might disagree but it is certainly a major
player in that space.
Borland quotes independent research by ROI experts at Consynity that suggests

that using an integrated set of solutions to support the entire systems devel-
opment process offers real benefits: Reduced application development, testing
and deployment costs by 25% to 75%; improved application quality and perform-
ance by 25% to 65%; reduced time to market by 33% to 85%; reduced time and
resources to deploy applications across multiple environments by as much as
80%; Reduced application downtime by 50% to 90%. Achieving any or all of
these would seem to demonstrate effective IT governance.
Borland tools really do address most of the lifecycle, ranging from requirements
management with its innovative Caliber RM tool to model-driven development
with its Together products. However, perhaps what makes it stand out from an
IT governance point of view is its recent acquisition of Teraquest [TeraQuest,
web] (a CMMI consultancy), and focus on CMMI: it is actively pursuing CMMI
level 3 certification over this year and 2006 across all ALM products. Together
with its retention of Dr Bill Curtis of TeraQuest as Borland’s first Chief Process
Officer, this makes Borland a very interesting partner for process-focused IT
governance initiatives.

6. Telelogic Doors-Synergy Integration [Doors, web]

Telelogic SYNERGY is a task-based change and configuration management
solution built upon a robust and scalable repository. It is closely integrated with,
but separate from, DOORS, which is a requirements management tool (which
itself supports the TAU systems development environment). Telogic believes that
the federated tool approach is appropriate, because different audiences need
different tool philosophies and interfaces – a reasonable approach, as long as
it is done well.
Change and configuration management is central to the ITIL® best practices

for infrastructure management. The Telelogic product set complements the core
ITIL® processes including problem, incident, change, release and configuration
management. Moreover, Telelogic’s professional services organization methods
are built on industry best practices to ensure ITIL® success.
For instance, Telelogic claims that SYNERGY/Change is the ideal tool to define,
refine and deploy an Incident Management Process, as its process definition can
include lifecycles (workflows), states and transitions, attributes and formulas,
rules and access security.
7. Fujitsu QoS Management [QoSM, web]

Mike Tsykin, Senior Business Development Manager with the SERC (Systems
Engineering Research Centre) of Fujitsu Australia Limited and a Steering
Committee member of the AQRM Forum of The Open Group, says that ITIL®
and ‘Sarbanes-Oxley’ Act require business process improvement and prescribe
pervasive measurement and, frequently, predictive management of business
processes, which is the focus of his tool.
The tool itself is a repackaging of Fujitsu’s enterprise systems management tools

into a customized Quality of Service appliance for enforcing and reporting service
level agreements (SLAs), capacity planning etc. It differs from many such tools
in the degree of automation it offers and also in that it is offered on a rental
basis (the user needs no continuing investment in hardware infrastructure to
deploy it).
8. Pervasive AuditMaster [AuditMaster, web]

This goes beyond the usual data access controls to audit authorized users of
your data resources – a vital aspect of protecting, for example, your financial
records for Sabanes-Oxley. It is a database add-on with transaction intelligence

and proactive monitoring capabilities but, unfortunately, it only supports the

Pervasive SQL embedded databases currently.
However, support for the general-purpose Open Source database Ingres is

promised soon, which will open up its applications. See a short review of Audit-
Master at [ADA2004-1, web].
9. Managed Objects Formula [Formula, web]

The Formula BSM Platform can be used to measure, improve and enforce the
performance and availability of all kinds of services, from online trading and
customer relationship management, say to something as basic as corporate e-
mail. Managed Objects claims that Platform covers the full spectrum of
Business Service Management and that you can use it to align IT to the business
incrementally, attacking the key issues first. As most people will agree that the
key issues are, in fact, important, this helps you gain acceptance for your IT gover-
nance initiative.
The strength of Platform lies in its Business Service Object Model, effectively a
schema that should allow for the storage of an object’s state (where an object
may be anything from a whole service to an individual server), together with
the root cause of that state and its business impact. It appears that views into
this model can be customized for different audiences – always a useful feature.
Managed Objects also sells a specialised CMDB offering.
In the next chapter we look at some of the issues associated with actually imple-
menting IT governance.

THOROGOOD
PROFESSIONAL
INSIGHTS
Chapter 5
Implementing IT governance
Obtain management sponsorship .....................................................58
IT governance methodology overview..............................................58

Chapter 5
Implementing IT governance
“Look at types of tools that are coming out to support IT

governance – they only deal with risk in the development
environment. What’s the risk of a project going wrong?
They are not yet able to apply themselves to the operational
world, the world that transactions live in. To detect, to
measure success in any way.”
SPEAKER AT MANAGED OBJECTS ROUNDTABLE ENTITLED: IT GOVERNANCE:
THE ROLE OF MEASUREMENT AND METRIC.
Implementing a formal IT Governance regime, assuming that you have only ad-
hoc or informal governance processes at present, involves (despite what some
vendors may tell you) a lot more than just buying some software – although once
you do have the required culture in place, tools can facilitate the initiative. A
first requirement is to align IT governance with corporate governance in general.
Think of this as high-level requirements gathering – what are the business gover-
nance issues that currently worry the Board and the company auditors, and what
questions would they like to ask or ‘more importantly, are they afraid to ask?
Try to talk in terms of business issues, not technical solutions, of being able to
demonstrate that the physical implementation of a bank’s money laundering
policy, for example, is tested against the policies discussed by the Board of Direc-
tors, not about implementing Model Driven Architecture and Applications
Lifecycle Management tools.
This discussion is only an input to your governance initiative. You can’t assume
that the Board’s concerns are the right concerns – because informal risk analysis
is often driven by media hype and by our tendency to concentrate on the most
recent crisis we experienced. After the IRA bombings in London, people moved
data centres down into the basement where they were safe from bombs but far
more vulnerable to flooding, which is far more likely to affect a building in London
than a bomb. Nevertheless, you’ll get no credit for your IT governance initia-
tive if you can’t sensibly address the one question the CEO wants to ask, when
he wants to ask it (even if the answer goes on to suggest that he/she may be
asking the wrong question).

5 IMPLEMENTING IT GOVERNANCE
Obtain management sponsorship

The first essential for IT governance is informed top management sponsorship.
If management sends mixed messages – if it insists on good governance in practice
but pays performance bonuses to people who deliver systems faster by cutting
corners – people at the sharp end of IT will soon realize that only lip service to
good governance is required. However, since in this situation they will also realize
that this makes them ideal scapegoat material if something does go wrong, morale,
productivity and systems quality will fall, as a direct result of your governance
efforts.
There are three ‘metrics’ for management sponsorship of IT governance:
1. The availability of a corporate IT governance plan, overseen by a

Governance Committee, with representation from IT professionals in
the IT Group and reporting at Board level. The names are immaterial,
the group could easily be called the IT Strategy Committee, say; what
is important is that IT governance issues can be raised at Board level
and that technically informed input to the discussion is available.
2. An IT governance framework is implemented, typically with an

Internal Control department or some such group. What is important
is that governance can be policed proactively, not ‘after the fact’ as
an Audit Group would. Governance must not be seen as a barrier to
implementation but as an assistive process, which ensures that IT
systems get it right first time and contain no hidden surprises that will
excite the regulators down the track.
3. Provision of a formal budget for the IT governance initiative. Without

a budget, which Internal Control can book time against and that can
be used for any tools and training that may be required, you really
don’t have a government initiative, no matter how much people talk
about governance.
IT governance methodology overview

You should take a process-based approach to governance, which is why process
initiatives like CMMI and ITIL® can be an important underpinning to IT gover-
nance. CMMI is about organizational maturity, the ability of an organization to
implement a process in pursuit of an objective, measure its consequences and
improve the process to better deliver against changing business objectives; ITIL®
is a collection of ‘best practice’ processes for managing IT infrastructure. If third

parties (such as regulators) question your IT governance in detail, it can be useful

to point to your maturity/capability as an indicator that your process can be effec-
tively improved to address the questions raised. It is significant that Borland,
a vendor of Application Lifecycle Management tools has recently acquired the
CMMI and process consultancy, TeraQuest. Borland is implementing CMMI Level
3 (the adoption of managed process at the organizational level) internally and
will no doubt include process improvement on the CMMI model as part of its
Application Lifecycle Management offerings.
You should take a systems approach to governance. Your internal process is in

a state of dynamic equilibrium. Changing external threats and regulations provide
external stimuli, resulting in feedback through the Internal Control function to
management and the technicians in the IT Group, which results in changes to
the internal process that satisfy the new regulations or mitigate the new threats.
Separation of function keeps the whole process ‘honest’:
• The Internal Control Group reports to the Board via the Governance
Committee – it is immune to local politics in the IT Group and in business
departments, and is focused on corporate strategy. Since it sets
requirements but isn’t responsible for systems delivery, it isn’t tempted
to interfere in technical matters that are properly the province of the
experts in the IT group.
• The IT Group is presented with governance as, essentially, a systems

requirement. It isn’t tempted to compromise governance in the
interests of speedy or cheap delivery, because governance is part of
what it is delivering. At the same time, it is free to determine the most
effective technical solution to the business governance requirements
raised by the Internal Control function, without having possibly
inappropriate technical controls bolted on to completed systems, that
can easily introduce technical defects.
• The Auditors report independently and confirm that the processes are
working by comparing practice against the agreed framework
everyone should be working to. If it is all working properly, the Auditors
should not find problems after the fact when they are expensive to
address because any problems should have been addressed proactively
during systems development/maintenance. However, if the process
is starting to fail, the Auditors should be able to proactively alert
management to the issue.
As with any other IT project, IT governance needs clear objectives and a budget
allocation; and a plan showing how these objectives will be achieved and how

the budget will be allocated. Implementation should be in stages, frequently deliv-

ering defined governance benefits, rather than a ‘big bang’ implementation
delivering perfect governance in one go years in the future – if the company
remains focused on the project that long. The stages in implementing an IT gover-
nance initiative from scratch would be, broadly (and in no particular order) as
follows:
1. Obtain buy-in on the ground

The impetus to good governance may be clear at Board level but the troops can
be surprisingly cynical about such initiatives. Too many of us have heard managers
talk about the best of practices – and seen them reward cowboys for rapid delivery
of systems which are full of problems for less charismatic workers to clear up,
for little reward or thanks.
Training is probably key to an organization demonstrating to its staff that it is

serious about governance – training in new tools, training in performance
management, so as to ensure that the possible overheads of governance don’t
impact on operational performance. In addition to training, experienced
(perhaps external) mentors who have a wide experience of IT generally and recog-
nize, and know how to address, the more subtle governance issues, can be helpful
A governance forum, in which workers at the sharp end can discuss governance
issues and suggest solutions in public (far more useful than mutterings around
the water cooler about some technically infeasible governance edict), is a good
idea. However, you must make sure that you document the action points from
such a forum and show the community that the issues it identifies are at least
given proper consideration (this is process management through feedback). It
is also important that such a forum represents both the business and IT points
of view, with fully informed and empowered attendees. If it becomes a cost-
focused drag on innovation (e.g.: ‘our job is to find out where the IT department
wants to spend money and stop it’) such a forum can be counterproductive.
2. Map IT to the business

Generally, there is a ‘many to many’ relationship between business functions and
the IT infrastructure. A particular server, a computer storing both business data
and automated data processing systems, may support many business functions,
for example; conversely, a single business function may invoke many servers.
The best way to do this is with diagrams, but the relationships involved are too
complex for this to be done manually. In addition, there is a strong risk that such

maps will become out-of-step with reality. Business process analysis/manage-

ment tools can provide a useful bridge between the world of IT and the world
of business, although there isn’t a lot of evidence that they’re being used for
this yet.
The best way to maintain such mappings is therefore with automated tools that
can generate the framework (at least) for automated systems from models relating
business processes to IT systems. Look for suites of systems development tools
(not necessarily from the same vendor) that support the entire development
lifecycle from business process modeling and requirements management, through
to coding and testing.
3. Implement policy-based security and identity management

There is a lot more to IT governance than security, but security is part of it. Good
security requires risk and threat analysis, to determine and prioritize the risks
facing the organization; and then formulation of a Security Policy, which
documents policies designed to mitigate, transfer (through insurance, say) or
accept (in conjunction with contingency plans) the various identified risks. Then
you can begin to design procedures that will implement the policies. Ideally, the
policies will be fairly generic, so that when changing technology or business
renders a procedure obsolete, the intent of the policy is clear and can direct the
formulation of a new procedure.
Good security is role based, as this aids maintenance. People in an organiza-

tion have basic, restricted access as employees; then as they are given roles in
the organization, each role brings with it appropriate access permissions. If people
move roles within the organization, they lose permissions associated with one
role and gain those associated with another.
Identity management is related to security. It is all about identifying people

unambiguously and managing the attribution of identity to people seeking access
to your organization. It includes providing the facilities to enable the unambiguous
attribution of actions to identities, essential for audit trails and security. A large
part of IT governance comes from people taking responsibility for their actions.
Without identity management, your governance is built on sand.
In common with the general tenor of this report, a standards-based approach

to security is recommended, although you may not need to formally certify against
the standards. ISO/IEC 17799:2000 [StandDir, web] is becoming accepted world-
wide as the code of practice for information security management, although
you can’t really certify against this, as it isn’t a specification you can assess against.

You also need BS7799-2:2002, the corresponding specification (which you can
certify against); and both are available as a package, with some extra material,
as the ISO 17799 Toolkit. ISO 17799 et al provides an excellent framework for
implementing security and ensures that you take a holistic approach, starting
with risk management (although it isn’t strong on the details of this) and covering
often-neglected areas such as business continuity. However, some form of
mentoring from an external security consultant is recommended too – it is diffi-
cult to make an unbiased assessment of risk and the threats facing you, from
inside an organization.
Tools to support IT risk assessment, implement ISO 17799 etc are available. Some
of these can be very useful but beware of concentrating only on those areas your
tools cover and neglecting business risk assessment as a whole: there is little
point in mitigating the IT risk affecting a system if the business risk is uncon-
trolled; and almost any IT security measures can be rendered ineffective if unhappy
or unjustly-treated staff can be compromised, or if physical access to the premises
and IT infrastructure isn’t effectively controlled. In the case of risk assessment
tools, in particular, investigate the provenance and localization of the threat
database that underlies their risk assessment facilities. A database relating to
US threats, say, may not be wholly appropriate in the UK, and a database that
is some years old may miss emerging threats (ideally, you should be able to add
threats from your own history to the database).
4. Implement BSM across all platforms

Business Service Management (BSM – see Chapter 4) means that you manage
your IT infrastructure in terms of the business services it implements. Managed
Objects claims to have invented the term [ManObj, web] but it is also associ-
ated with HP and BMC Software these days; and BMC’s Atrium CMDB, which
addresses the IT Infrastructure Library (ITIL®) requirement for a single, enter-
prise database to ensure data consistency and support integration across differing
service management processes may be a significant enabler for BSM.
Business Service Management is commonly taken to include Service Level Manage-

ment, Incident and Problem Management, Infrastructure and Application
Management (including Licence Management), Service Impact and Event
Management, Asset Management and Discovery, Change and Configuration
Management, Capacity Management and Provisioning, and Identity Manage-
ment. Some of these have been split out for special emphasis in the present chapter.
By its very nature, BSM must be cross-platform. Business users will not be happy
if business-friendly service level reporting and management stops abruptly when

their data strays onto the mainframe, for example. This is a serious governance
issue as discontinuities in the vocabulary and culture of service level manage-
ment and security facilitate breakdowns in IT governance at that point.
5. Implement infrastructure management

Having a fully managed infrastructure based on an up-to-date and maintained
asset register is an essential part of IT governance. Even something as simple
as IT asset management is a vital part of IT governance. If you don’t know exactly
what hardware you have and exactly what software is running on it, how can
you claim any sort of IT governance? Software piracy is one area where organ-
izations seem to be assumed guilty unless they can prove innocence, and the
consequences of a visit by the piracy police (disruption, confiscation, fines) can
be immense. Yet how effective can a plea that ‘we’re sure all our software is
licensed although we don’t know what software we have and where it is running’
be?
ITIL® is a good basis for infrastructure management, although it is probably

sufficient rather than necessary. As well as asset management, capacity
management and service level management, the Service Desk function and defect
tracking are typically part of an IT governance framework.
6. Implement configuration management

Configuration management involves the identification of the components of an
automated system that contribute to the service it delivers and the management
of changes to this configuration (including audit trails and facilities for backing
out of unsuccessful changes). Software change control (keeping track of
changes to software code as requirements change or defects are addressed) is
only part of configuration management.
Defect and problem tracking and service desk support are closely related to config-
uration management.
7. Implement business continuity management

The availability of IT systems is now critical to the operation of many businesses.
This makes Business Continuity Management (BCM) a vital part of IT gover-
nance (it’s also required by the ISO 17799 security standard). In fact, it should
be built in from the start by designing critical systems to be resilient. BCM is
non-trivial to do well and external consultancy may be attractive. It must be firmly
based on an objective assessment of risks (itself difficult unless you are an experi-

enced risk assessor), including risks the organization hasn’t encountered yet,
and deal with the spectrum of contingency from minor service interruptions to
a full-blown disaster that eliminates a data centre in its entirety.
It is important to ensure that IT governance is maintained sensibly (at a managed

level) during a contingency, as otherwise a contingency could be engineered
as an opportunity to steal data, compromise business transactions or financial
reports, or sabotage systems. A ‘whole systems’ approach to business conti-
nuity should be adopted. The non-availability of phones or a serious health and
safety issue can take out a business service just as effectively as a fire-damaged
computer.
8. Implement information lifecycle management

Electronic information can be as important and legally significant as paper
documents such as contracts formal and (potentially forged) instruments. The
courts will probably treat any email as an electronically signed document,
according to Stephen Mason, Barrister, speaking at SUNLive05 [SUNLive05, web]
in London. The regulations and laws affecting business information (see
Chapter 2) say that information must be available to answer auditors’ questions
in a timely manner, and its provenance must be capable of proof; but, as well
as this, some personal information must be destroyed securely when you no
longer need it. This means that you need a policy-based information lifecycle
management system (similar in purpose to document management systems in
the ‘real world’). This must be able to classify information, store it cost-effec-
tively and securely (possibly with backup copies kept offsite), document its
creation, amendment and destruction, and securely audit the critical events in
the lifecycle.
9. Implement a systems development/acquisition process

If you build software, you must have a lifecycle development process (see Chapter
4) from business requirements analysis through to coding, testing and imple-
menting systems (in fact, testing should start with validation of the requirements).
This is best implemented by training and mentoring, using tools to facilitate
desired practice. Simply mandating a development process does not work well.
If you don’t build software, you need a similar process for implanting packages.
You still need to analyze business requirements, in order to choose a package
which best fits your business process and in order to assess the impact of the
business process embodied in the package on your existing business process.

And, you still need to test package applications, in case they don’t do what they
say they will, or you implement them incorrectly. If you customize a package,
this is really a small systems development project and similar QA measures are
necessary.
10. Optimize processing

If you don’t have a great deal of IT governance, introducing full-blown gover-
nance and compliance measures can impact processing overheads – and,
therefore, the business (after implementing HIPAA in the States, data volumes
often increase by an order of magnitude or more). It is therefore vital to include
what Mercury Interactive calls ‘business technology optimization’ [Mercury, web]
in your governance program. Put crudely, satisfying the requirements of HIPAA
or Sarbanes-Oxley (or local equivalents) can increase, say, database accesses
by several orders of magnitude – and, doubtless, many database infrastructures
won’t be designed to cope with this. Unless you reassess and, possibly,
optimize performance, the immediate result of introducing IT governance may
be to impact business performance and, thus, the reputation of IT (and also badly
impact your career).
11. Implement problem management

Business Continuity is often thought of as disaster recovery, something stand-
alone that you bring in after a disaster, such as the loss of a data centre in a fire.
This is obviously an aspect of IT governance, if the business depends on appli-
cations running in that data centre, but this is too limited a view (see Business
Continuity Management, BCM, above). Business continuity is also a function
of IT problem management.
The business needs to be isolated from IT problems: at one end, a significant

part of the IT infrastructure is lost and we talk of disaster recovery and BCM;
at the other end, a bug is encountered that affects the business or a small part
of the IT infrastructure (a single phone line perhaps) drops out and we talk about
problem or incident management and defect tracking. In the interests of good
IT governance, you should probably see this as a continuum: the impact of IT
issues on the business should be limited, well controlled and managed.
This is usually associated with a service desk function, which should aim for
pre-emptive identification and mitigation of emerging issues, ideally before they
have any impact on a business service. There are many sophisticated service
desk packages: BMC Remedy [Remedy, web], for example, or FrontRange’s HEAT
[HEAT, web].

12. Demonstrate ROI

At least one of the objectives behind any IT governance initiative is likely to be
to better run IT for the organization’s benefit. So, it is very good practice to instru-
ment IT Governance systems and report business information so that IT
governance, and the ROI (Return on Investment) from the governance project,
can be demonstrated on a continuing basis.
Choose your metrics carefully – people tend to deliver what you measure, so if
you choose the wrong measures you may get the wrong results. Early attempts
to measure the quality of support staff, for instance, in terms of the number of
calls completed in a period resulted in a plethora of quick fixes and recurring
problems – because continual short-term fixes to the same problem made the
metrics look better. It might have been better to measure problems fixed without
recurrences and customer satisfaction rather than calls processed. After all,
provided it is accessible and servicing the calls it gets, the fewer calls a service
desk has to process, the more successful it is!
Look beyond a purely financial ROI. Good IT governance reduces risk, so it

increases business confidence and allows you to play in areas your competi-
tors find too risky. It involves efficient provisioning, so new staff get up-to-speed
faster, and promotes a supportive IT environment, with fewer surprises, so staff
morale generally should improve. A ‘balanced scorecard’ [BalScore, web]
approach to measuring the impact of IT governance is probably appropriate.
It is always important to remember that IT governance is only a means to an
end. ‘Better IT governance’ is not really a useful objective; it is better to have
increasing the ‘bang per buck’ spent on IT as an objective (measured in business
terms), or widening your customer base in areas where good governance forms
part of the acceptance criteria, or even reducing the cost of regulatory compli-
ance and controlling the risk of legal action. Nevertheless, be realistic. If your
improved IT governance allows you to win a lucrative contract in the health
industry, you can’t accrue the entire profit to your IT governance effort – it may
be an enabler, and this is a real non-financial ROI, but the final profit is mostly
down to the software or services you supply against the contract. Similarly, if
your improved governance makes you more efficient, you can’t claim the man-
hours saved as a benefit until you actually reduce headcount or redeploy people
onto productive work.

13. Reviews
Reviews of IT systems after changes have bedded in, in order to enable a ‘gap
analysis’ of the differences between aspiration and reality, followed by the sched-
uling of maintenance efforts aimed at reducing any gaps, is an important
characteristic of good IT governance. Sometimes, as with CMMI initiatives (see
Chapter 2), these reviews are part of a formal process but, regardless of how
you approach IT governance, there must be some sort of review and feedback
process. Change seems to be part of the nature of IT, so a static governance
system, however effective, is unlikely to stay effective for long.
In the next chapter we summarise the findings of the Report.

THOROGOOD
PROFESSIONAL
INSIGHTS
Chapter 6
Conclusions
Chapter 6
Conclusions
“Companies with better than average IT governance earn at

least a 20 percent higher return on assets than organizations
with weaker governance.”
JEANNE ROSS AND PETER WEILL IN THE JUN. 15, 2004 ISSUE OF CIO MAGAZINE.
“If it were done when ‘tis done, then ‘twere well it were
done quickly.”
SHAKESPEARE, MACBETH.
So, what is IT governance? It is an extension of corporate governance gener-

ally, which ensures that automated systems contribute effectively to the business
goals of an organization, that IT-related risk is adequately identified and
managed (mitigated, transferred or accepted), and that automated information
systems (including financial reporting and audit systems) provide a ‘true picture’
of the operation of the business. Changes in legislation mean that IT governance
is, or will be shortly, a pressing concern in many companies dependent on IT.
In Chapter 1, we looked at the context of IT governance in corporate gover-

nance. IT governance is important because various accounting and other scandals
(Worldcom, Enron, failed government contracts and so on) have led ‘the powers
that be’ to suspect that financial systems are creeping out of control. They are
realizing that most financial controls are based on IT and that this apparent loss
of control could impact commercial confidence generally. Stephen Haddrill,
Director General, Fair Markets, summed the situation up well in his Foreword
to Proposal by the European Commission for a Directive on Statutory Audit of
Annual and Consolidated Accounts, September 2004 (The Department of Trade
and Industry (DTI) consultation period on this ended 30 November 2004 [8thDir,
web]):
“We believe the market is the best regulator of corporate activity. For the market
to operate efficiently, however, we need a robust legal framework that ensures
that investors have full and accurate information on which to base their
decisions.

6 CONCLUSIONS
Following the collapse of WorldCom and Enron in the US, and miscellaneous
corporate scandals elsewhere, the Department of Trade and Industry (DTI)
reviewed all aspects of financial and audit reporting. We concluded that our
approach was fundamentally sound, but that the system could be strength-
ened in a number of ways. In particular, we expanded the role of the Financial
Reporting Council to provide independent oversight of the audit profession.
The European Commission has looked at these issues in parallel. One result
of their work is a proposal for a new 8th Company Law Directive on statu-
tory auditing – which updates the original 1984 Directive, and follows many
of the UK’s initiatives.”
This activity means that stakeholders in IT governance, even if they are indirect
stakeholders, are starting to ask questions that concern IT governance. An investor
in a company wants to be sure that the financial reports s/he relies on haven’t
been tampered with so as to misrepresent the true position of the company –
and also wants to be confident that they won’t contain errors that are the result
of program bugs or logic errors.
In Chapter 2, we reviewed the external pressures for IT governance, from the

legal and regulatory systems in which companies using IT must operate. The
legal systems in most countries are increasingly making company directors
responsible for corporate governance – and therefore IT governance.
In Chapter 3, we analysed the organizational impact of corporate governance

and the building of a more mature, measurement-focused organization. The
Capability Maturity Model Integration (CMMI) from the Software Engineering
Institute at Carnegie Mellon University was described, which can be taken as
a framework for talking about Capability and Maturity, even if you don’t assess
formally.
In Chapter 4, we looked at the impact on the IT group specifically and at initia-

tives like DSDM (the Dynamic Systems Development Method) and ITIL® (the
IT Infrastructure Library).
In Chapter 5, we overviewed the implementation of IT governance. Key to this

is, as always, getting buy-in at all levels and removing barriers to implementa-
tion with training.
Our overall conclusion must be that good IT governance, in a form that can be
demonstrated to the stakeholders in an organization and interested third parties,
if appropriate, is now an explicit requirement for any IT group. A piecemeal
approach is likely to be expensive, as it will have to be repeated every time

6 CONCLUSIONS
something changes – the legal framework around corporate governance these

days makes cosmetic compliance a high-risk strategy.
So, the fundamental requisite for good IT governance is a ‘mature and capable’
organization – one that says what it is going to do, does it, measures the conse-
quences – and applies feedback in order to bring reality closer to the original
aspiration.
Such an organization will find a process-based approach to be more effective

and, in the long term, cheaper to maintain. It will adopt standards-based frame-
works such as ITIL® for infrastructure management and DSDM for systems
development, both to avoid reinventing the wheel and also to ensure that inappro-
priate assumptions don’t result in aspects of governance being overlooked. Then,
once it knows what it wants to do, it will use tools to automate its processes as
far as is appropriate. ‘Computer-aided people’ are more cost-effective and efficient
than people alone, more flexible than automation alone, and governance rules
embodied in software or as parameters applied to software are easier (and
cheaper) to audit and enforce.

THOROGOOD
PROFESSIONAL
INSIGHTS
Appendix
Resources..............................................................................................73
Appendix
Resources
[8thDirCons, web] – http://www.dti.gov.uk/consultations/files/publication-
1371.pdf.
[ADA2005-3, web] – ‘Manage the Process’, Andrew Griffiths, ADA Mar/Apr

2005, http://www.appdevadvisor.co.uk/prod_rev/index.html or archived at
(registration required) http://www.appdevadvisor.co.uk/archive/index.php.
[ADA2004-1, web] – ‘Would Sir like his database managed?’, Ian Murphy,
ADA Jan/Feb 2004, archived at (registration required): http://www.appde-
vadvisor.co.uk/archive/index.php.
[ALM, web] – the Borland solution for Application Lifecycle Management

(ALM), http://www.borland.com/alm/.
[ASB, web] – Bulletin 2004/3 (December 2004), ‘The Combined Code on

corporate governance: Requirements of auditors under the Listing Rules of
the Financial Services Authority’,
http://www.asb.org.uk/apb/publications/pub0648.html.
[Atrium, Web] – http://www.bmc.com/products/products_services_detail/

0,,0_0_0_1806,00.html.
[AuditMaster, web] – Pervasive’s AuditMaster tool,

http://www.pervasive.com/ auditmaster/index.asp.
[BalScore, web] – The Balanced Scorecard Institute, http://www.balanced-

scorecard.org/.
[Beck, 1999] – Kent Beck, ‘Extreme Programming Explained: Embracing

Change’, 1999, Addison Wesley, ISBN: 0201616416
[BIS, web] – Bank for International Settlements, Enhancing corporate gover-

nance for banking organizations (September 1999) http://www.bis.org/publ/
bcbsc138.pdf.
[BoardBrief, web] – Board Briefing on IT Governance, 2nd Edition – IT

Governance Institute, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL

APPENDIX
60008 USA, Phone: +1.847.590.7491, Fax: +1.847.253.1443, E-mail:

info@itgi.org, Web sites: www.itgi.org and www.isaca.org.
[BSA, web] – The Business Software Alliance, http://www.bsa.org/
[BSM, Web] – http://www.bmc.com/BMC/BSM/CDA/hou_bsm_page/

0,3752,11459313_11468130,00.html
[CC, web] – The Combined Code on corporate governance, July 2003

http://www.fsa.gov.uk/pubs/ukla/lr_comcode2003.pdf
[Changepoint, web] – Compuware Changepoint,

http://www.compuware.com/it-governance/default.htm
[CMMI, web] – Capability Maturity Model Integration,

http://www.sei.cmu.edu/ cmmi. This model is based on assessment against 5
maturity levels: 5 – Continuous process improvement through proactive
process measurement; 4 – Quantitative process metrics, at the organizational
level, used to manage and improve the process; 3 – Managed process at an
organizational level; 2 – Managed process, at a project level; 1 – Adhoc appli-
cation of process.
[CompaniesAudit, web] – Companies (Audit, Investigations and Community

Enterprise) Act 2004,
http://www.legislation.hmso.gov.uk/acts/acts2004/20040027.htm
[Constantine, 1995] – Larry Constantine, ‘Constantine on Peopleware’,

Yourdon Press, 1995, ISBN 0-13-331976-8
[CoprightAct, web] – UK Copyright, Designs and Patents Act

http://www.hmso.gov.uk/acts/acts1988/Ukpga_19880048_en_1.htm.
[Disability, web] – Disability Discrimination Act 1995

http://www.disability.gov.uk/ dda/; also Special Educational Needs and
Disability Act 2001, http://www.hmso.gov.uk/acts/acts2001/20010010.htm.
[Doors, web] – Telelogic Doors-Synergy integration,

http://www.telelogic.com/
products/integrations/doors_synergy.cfm?campaigncode=000418-001647.
[DPA, web] – Data Protection Act 1998, http://www.hmso.gov.uk/acts/

acts1998/19980029.htm.
[DSDM, web] – Dynamic Systems Development Method,

http://www.dsdm.org/.

APPENDIX
[ESB, 2004] – David A Chappell, ‘Enterprise Service Bus’, 2004, O’Reilly,

ISBN 0-596-00675-6.
[FAST, web] – the Federation Against Software Theft, http://www.fast.org.uk/
[Faegre, web] – Michael Fleming, ‘Sarbanes-Oxley and IT: Beware of Magic

Bullet Solutions’, http://www.faegre.com/articles/article_1076.aspx.
[FI, web] – Freedom of Information Act 2000, http://www.hmso.gov.uk/acts/

acts2000/20000036.htm.
[Formula, web] – The Formula BSM Platform,

http://www.managedobjects.com/ products/formula.jsp.
[HAS, web] – The Health and Safety Homepages, http://www.healthand-

safety.co.uk/haswa.htm; also Statutory Instrument 1999 No. 3242 The
Management of Health and Safety at Work Regulations 1999,
http://www.hmso.gov.uk/ si/si1999/19993242.htm.
[HEAT, web] – The HEAT service management product suite from

FrontRange Solutions
http://www.frontrange.com/ProductsSolutions/Category.aspx?id=
22&ccid=41.
[HIPAA, web] – Health Insurance Portability and Accountability Act,

http://www.hipaa.org/.
[IOD, 2004] – Institute of Directors and SAS, ‘corporate governance’, 2004,

Director Publications, ISBN 1 9045 2025 3.
[ITIL®, web] – IT Infrastructure Library,

http://www.ogc.gov.uk/index.asp?id=2261
[ITIL® FAQ, Web] – http://www.ogc.gov.uk/index.asp?id=1000368
[ITPP, 2004] – ‘IT Policies and Procedures’, Section 9, Legislative Compliance,

Thomson/GEE (http://supp.gee.co.uk/gee/it/).
[itSMF, Web] – IT Service Management Forum, http://www.itsmf.com/
[Kaplan and Norton, 1992] – Robert Kaplan and David Norton, ‘The Balanced
Scorecard – Measures that Drive Performance’, Harvard Business Review,
1992
[Kaplan and Norton, 1996] – Robert Kaplan and David Norton, ‘The Balanced
Scorecard: Translating Strategy into Action’, Harvard Business School Press,
1996, ISBN 0-87584-651-3

APPENDIX
[ManObj, web] – Managed Objects, http://www.managedobjects.com.
[Mercury, web] – Mercury Business Technology Optimisation (BTO)

solutions, http://www.mercury.com/uk/solutions/
[Netegrity, 2005] – Netegrity IT Security/Compliance Survey, 2005, unfortu-

nately not available on the Netegrity website (http://www.netegrity.com).
[OECD, web] – The review process for the OECD Principles of corporate
governance http://www.oecd.org/document/26/0,2340,en_2649_201185_
23898906_1_1_1_1,00.html.
[OpenView, Web] –
http://www.managementsoftware.hp.com/solutions/bsm/.
[PCSupportAdv, web] – David Norfolk, Understanding DSDM,

http://www.pcsupportadvisor.com/nasample/D1121.pdf.
[PlanISM, 2002] – ‘Planning to Implement Service Management’, 2002, ISBN

0113308779 (CD ISBN: 0113309058).
[ProcDir, web] – Select Business Solutions’ Process Director

http://www.selectbs.com/products/select_process_director_plus.htm.
[QoSM, web] – Fujitsu’s Quality of Service (QoS) solution,

http://www.qosm.co.uk/.
[Reiss. 1995] – Geoff Reiss, ‘Project Management Demystified’, 2nd ed, 1995,
E and FN Spon, ISBN 0 419 20750 3.
[Reiss. 1996] – Geoff Reiss, ‘Programme Management Demystified’, 1st ed.,

1996, E and FN Spon, ISBN 0 419 21350 3.
[Remedy, web] – BMC Software Remedy Service Management,

http://www.remedy.com/ and http://www.bmc.com/products/proddocview/
0,2832,19052_19429_10101852_9987,00.html
[RIPA, web] – Regulation of Investigatory Powers Act (RIPA),

http://www.hmso.gov.uk/acts/acts2000/20000023.htm.
[SEC-SOX, web] – SEC compliance dates for Section 404 of Sarbanes-Oxley

(http://www.sec.gov/rules/final/33-8238.htm)
[SOX, web] – Sarbanes-Oxley Act, http://www.sarbanes-oxley.com/

APPENDIX
[StandDir, web] – Standards Direct is a source for copies of the ISO 17799
security standard, and a useful source of other BSI standards,
http://www.standardsdirect.org/iso17799.htm. The ISO 17799 Service &
Software Directory, http://www.iso17799software.com/, is also a useful
resource.
[Standish, web] – http://www.standishgroup.com/sample_research/

chaos_1994_1.php.
[STR-DPA, web] – the UK’s anti-money laundering legislation and the Data
Protection Act 1998, guidance notes for the financial sector April 2002,
http://www.hm-treasury.gov.uk/mediastore/ otherfiles/money_laundering.pdf
[SUNLive05, web] – SUNLive05 conference, March 22nd 2005,

http://www.sunlive05.com/mk/get/HOME
[TeraQuest, web] – Borland/TeraQuest, http://www.teraquest.com/
[Thoughtworks, web] – ‘Why we favour Agile Methods’, http://www.thought-

works.com/us/approach/index.html
[Turley, web] – ‘Get Ready for the EU’s 8th Directive’, James S Turley, Chairman
and CEO, Ernst and Young, Directorship, June 2004 –
http://www2.eycom.ch/library/ items/directorship_200406/en.pdf
[Turnbull, web] – Internal Control, Guidance for directors on the Combined

Code (The Turnbull Report) from The Institute of Chartered Accountants in
England & Wales, http://www.icaew.co.uk/cbp/index.cfm?aub=tb2I_6242.
[WCAG, web] – W3C Web Content Accessibility Guidelines,

http://www.w3.org/TR/ WAI-WEBCONTENT/
[WEEE, web] – WEEE Recycling Directive, http://www.dti.gov.uk/sustain-

ability/weee/

Other specially commissioned reports
BUSINESS AND COMMERCIAL LAW
The commercial exploitation of intellectual The Competition Act 1998: practical

property rights by licensing advice and guidance
CHARLES DESFORGES £125.00 SUSAN SINGLETON £149.00
1 85418 285 4 • 2001 1 85418 205 6 • 2001
Expert advice and techniques for the identification Failure to operate within UK and EU competition rules
and successful exploitation of key opportunities. can lead to heavy fines of up to 10 per cent of a business’s
total UK turnover.
This report will show you:
• how to identify and secure profitable opportunities
• strategies and techniques for negotiating the best Insights into successfully managing the
agreement in-house legal function
• the techniques of successfully managing a license BARRY O’MEARA £65.00
operation.
1 85418 174 2 • 2000
Negotiating the fault line between private practice and

Damages and other remedies for breach
in-house employment can be tricky, as the scope for
of commercial contracts conflicts of interest is greatly increased. Insights into
ROBERT RIBEIRO £125.00 successfully managing the In-house legal function discusses
and suggests ways of dealing with these and other issues.
1 85418 226 X • 2002
This valuable new report sets out a systematic approach

for assessing the remedies available for various types of
breach of contract, what the remedies mean in terms of
compensation and how the compensation is calculated.
Commercial contracts – drafting

techniques and precedents
ROBERT RIBEIRO £125.00
1 85418 210 2 • 2002
The Report will: For full details of any title, and to view sample
extracts please visit: www.thorogood.ws
• Improve your commercial awareness and planning
skills You can place an order in four ways:
• Enhance your legal foresight and vision 1 Email: orders@thorogood.ws
• Help you appreciate the relevance of rules and 2 Telephone: +44 (0)20 7749 4748
guidelines set out by the courts 3 Fax: +44 (0)20 7729 6110
• Ensure you achieve your or your client’s commercial 4 Post: Thorogood, 10-12 Rivington Street,
objectives London EC2A 3DU, UK
t +44 (0)20 7749 4748 e info@thorogood.ws w w w w. t h o r o g o o d . w s

The legal protection of databases Email – legal issues
SIMON CHALTON £145.00 SUSAN SINGLETON £95.00
1 85418 245 5 • 2001 1 85418 215 3 • 2001
Inventions can be patented, knowledge can be What are the chances of either you or your employees
protected, but what of information itself? breaking the law?
This valuable report examines the current EU [and so The report explains clearly:
EEA] law on the legal protection of databases, including • How to establish a sensible policy and whether or
the sui generis right established when the European not you are entitled to insist on it as binding
Union adopted its Directive 96/9/EC in 1996.
• The degree to which you may lawfully monitor your
employees’ e-mail and Internet use
Litigation costs • The implications of the Regulation of Investigatory
MICHAEL BACON £95.00 Powers Act 2000 and the Electronic Communications
Act 2000
1 85418 241 2 • 2001
• How the Data Protection Act 1998 affects the degree
The rules and regulations are complex – but can be to which you can monitor your staff
turned to advantage.
• What you need to watch for in the Human Rights Act
The astute practitioner will understand the importance 1998
and relevance of costs to the litigation process and will • TUC guidelines
wish to learn how to turn the large number of rules to
• Example of an e-mail and Internet policy document.
maximum advantage.
International commercial agreements

REBECCA ATTREE £175
1 85418 286 2 • 2002
A major new report on recent changes to the law and

their commercial implications and possibilities.
The report explains the principles and techniques of

successful international negotiation and provides a
valuable insight into the commercial points to be consid-
ered as a result of the laws relating to: pre-contract,
private international law, resolving disputes (including
alternative methods, such as mediation), competition law,
drafting common clauses and contracting electronically.
It also examines in more detail certain specific interna-

tional commercial agreements, namely agency and
distribution and licensing.
For full details of any title, and to view sample

You can place an order in four ways:

1 Email: orders@thorogood.ws
2 Telephone: +44 (0)20 7749 4748
3 Fax: +44 (0)20 7729 6110
4 Post: Thorogood, 10-12 Rivington Street,
London EC2A 3DU, UK
S e e f u l l d e t a i l s o f a l l T h o r o g o o d t i t l e s o n w w w. t h o r o g o o d . w s
HR AND EMPLOYMENT LAW
Employee sickness and fitness for work – How to turn your HR strategy into reality
successfully dealing with the legal system TONY GRUNDY £129.00
GILLIAN HOWARD £95.00
1 85418 183 1 • 1999
1 85418 281 1 • 2002 A practical guide to developing and implementing an
Many executives see Employment Law as an obstacle effective HR strategy.
course or, even worse, an opponent – but it can contribute
positively to keeping employees fit and productive.
Internal communications
This specially commissioned report will show you how
JAMES FARRANT £125
to get the best out of your employees, from recruitment
to retirement, while protecting yourself and your firm 1 85418 149 1 • July 2003
to the full.
How to improve your organisation’s internal commu-
nications – and performance as a result.
Data protection law for employers There is growing evidence that the organisations that ‘get
SUSAN SINGLETON £125 it right’ reap dividends in corporate energy and enhanced
performance.
1 85418 283 8 • May 2003
The new four-part Code of Practice under the Data Protec-

tion Act 1998 on employment and data protection makes
Mergers and acquisitions – confronting
places a further burden of responsibility on employers the organisation and people issues
and their advisers. The Data protection Act also applies MARK THOMAS £95.00
to manual data, not just computer data, and a new tough
enforcement policy was announced in October 2002. 1 85418 008 8 • 1997
Why do so many mergers and acquisitions end in

tears and reduced shareholder value?
Successful graduate recruitment
This report will help you to understand the key practical
JEAN BRADING £69.00
and legal issues, achieve consensus and involvement at
1 85418 270 6 • 2001 all levels, understand and implement TUPE regulations
and identify the documentation that needs to be drafted
Practical advice on how to attract and keep the best.
or reviewed.
Successfully defending employment

New ways of working
tribunal cases
STEPHEN JUPP £99.00
DENNIS HUNT £95
1 85418 169 6 • 2000
1 85418 267 6 • 2003
New ways of working examines the nature of the work
Fully up to date with all the Employment Act 2002 done in an organisation and seeks to optimise the working
changes. practices and the whole context in which the work takes
165,000 claims were made last year and the numbers place.
are rising. What will you do when one comes your
way?

Knowledge management • changes to internal disciplinary and grievance
procedures
SUE BRELADE, CHRISTOPHER HARMAN £95.00
• significant changes to unfair dismissal legislation
1 85418 230 7 • 2001
• new rights for those employed on fixed-term contracts
Managing knowledge in companies is nothing new. • the introduction of new rights for learning
However, the development of a separate discipline called representatives from an employer’s trade union
‘knowledge management’ is new – the introduction of
recognised techniques and approaches for effectively This specially commissioned new report examines each
managing the knowledge resources of an organisation. of the key developments where the Act changes existing
This report will provide you with these techniques.
provisions or introduces new rights. Each chapter deals
with a discreet area.
Reviewing and changing contracts
of employment
Email – legal issues
ANNELISE PHILLIPS, TOM PLAYER
SUSAN SINGLETON £95.00
and PAULA ROME £125
1 85418 215 3 • 2001
1 85418 296 X • 2003
360,000 email messages are sent in the UK every
The Employment Act 2002 has raised the stakes. Imper-
second (The Guardian). What are the chances of either
fect understanding of the law and poor drafting will now
you or your employees breaking the law?
be very costly.
The report explains clearly:
This new report will:
• How to establish a sensible policy and whether or
• Ensure that you have a total grip on what should be
not you are entitled to insist on it as binding
in a contract and what should not
• The degree to which you may lawfully monitor your
• Explain step by step how to achieve changes in the
employees’ e-mail and Internet use
contract of employment without causing problems
• The implications of the Regulation of Investigatory
• Enable you to protect clients’ sensitive business
Powers Act 2000 and the Electronic Communications
information
Act 2000
• Enhance your understanding of potential conflict
• How the Data Protection Act 1998 affects the degree
areas and your ability to manage disputes effectively.
to which you can monitor your staff
• What you need to watch for in the Human Rights Act
Applying the Employment Act 2002 – 1998
crucial developments for employers • TUC guidelines
and employees
• Example of an e-mail and Internet policy document.
AUDREY WILLIAMS £125
1 85418 253 6 • May 2003
The Act represents a major shift in the commercial

environment, with far-reaching changes for employers
and employees. The majority of the new rights under the
family friendly section take effect from April 2003 with For full details of any title, and to view sample
most of the other provisions later in the year. extracts please visit: www.thorogood.ws
The consequences of getting it wrong, for both employer You can place an order in four ways:
and employee, will be considerable – financial and 1 Email: orders@thorogood.ws
otherwise. The Act affects nearly every aspect of the work 2 Telephone: +44 (0)20 7749 4748
place, including:
3 Fax: +44 (0)20 7729 6110
• flexible working
• family rights (adoption, paternity and improved London EC2A 3DU, UK
maternity leave)
SALES, MARKETING AND PR
Implementing an integrated marketing Tendering and negotiating for

communications strategy MoD contracts
NORMAN HART £99.00 TIM BOYCE £125.00
1 85418 120 3 • 1999 1 85418 276 5 • 2002
Just what is meant by marketing communications, or This specially commissioned report aims to draw out the
‘marcom’? How does it fit in with other corporate main principles, processes and procedures involved in
functions, and in particular how does it relate to business tendering and negotiating MoD contracts.
and marketing objectives?
Defending your reputation

Strategic customer planning
SIMON TAYLOR £95.00
ALAN MELKMAN AND
PROFESSOR KEN SIMMONDS £95.00 1 85418 251 • 2001
‘Buildings can be rebuilt, IT systems replaced. People

1 85418 255 2 • 2001
can be recruited, but a reputation lost can never be
This is very much a ‘how to’ Report. After reading those regained…’
parts that are relevant to your business, you will be able ‘The media will publish a story – you may as well
to compile a plan that will work within your particular ensure it is your story’ Simon Taylor
organisation for you, a powerful customer plan that you
can implement immediately. Charts, checklists and diag- ‘News is whatever someone, somewhere, does not
rams throughout. want published’ William Randoplh Hearst
When a major crisis does suddenly break, how ready will

Selling skills for professionals you be to defend your reputation?
KIM TASSO £65.00
1 85418 179 3 • 2000 Insights into understanding the financial

media – an insider’s view
Many professionals still feel awkward about really
selling their professional services. They are not usually SIMON SCOTT £99.00
trained in selling. This is a much-needed report which
1 85418 083 5 • 1998
addresses the unique concerns of professionals who wish
to sell their services successfully and to feel comfortable This practical briefing will help you understand the way
doing so. the financial print and broadcast media works in the UK.
‘Comprehensive, well written and very readable…
this is a super book, go and buy it as it is well worth
European lobbying guide
the money’ Professional Marketing International
BRYAN CASSIDY £129.00
Corporate community investment 1 85418 144 0 • 2000
CHRIS GENASI £75.00 Understand how the EU works and how to get your
message across effectively to the right people.
1 85418 192 0 • 1999
Supporting good causes is big business – and good

business. Corporate community investment (CCI) is the
general term for companies’ support of good causes, and
is a very fast growing area of PR and marketing.

Lobbying and the media: working with Managing corporate reputation
politicians and journalists – the new currency
MICHAEL BURRELL £95.00 SUSAN CROFT and JOHN DALTON £125
1 85418 240 4 • 2001 1 85418 272 2 • June 2003
Lobbying is an art form rather than a science, so there ENRON, WORLDCOM… who next?
is inevitably an element of judgement in what line to take.
At a time when trust in corporations has plumbed new
This expert report explains the knowledge and techniques
depths, knowing how to manage corporate reputation
required.
professionally and effectively has never been more crucial.
Strategic planning in public relations

Surviving a corporate crisis
KIERAN KNIGHTS £69.00 – 100 things you need to know
1 85418 225 0 • 2001 PAUL BATCHELOR £125
Tips and techniques to aid you in a new approach 1 85418 208 0 • April 2003
to campaign planning.
Seven out of ten organisations that experience a
Strategic planning is a fresh approach to PR. An approach corporate crisis go out of business within 18 months.
that is fact-based and scientific, clearly presenting the
arguments for a campaign proposal backed with evidence. This very timely report not only covers remedial action
after the event but offers expert advice on preparing every
department and every key player of the organisation so
that, should a crisis occur, damage of every kind is limited
as far as possible.
FINANCE
Tax aspects of buying and selling Practical techniques for effective project
companies investment appraisal
MARTYN INGLES £99.00 RALPH TIFFIN £99.00
1 85418 189 0 • 2001 1 85418 099 1 • 1999
This report takes you through the buying and selling How to ensure you have a reliable system in place.
process from the tax angle. It uses straightforward case
Spending money on projects automatically necessitates
studies to highlight the issues and more important
an effective appraisal system – a way of deciding whether
strategies that are likely to have a significant impact on
the correct decisions on investment have been made.
the taxation position.
Tax planning opportunities for family

businesses in the new regime
CHRISTOPHER JONES £49.00
1 85418 154 8 • 2000
Following recent legislative and case law changes, the

whole area of tax planning for family businesses requires
very careful and thorough attention in order to avoid the
many pitfalls.
MANAGEMENT AND PERSONAL DEVELOPMENT
Strategy implementation through project

management
TONY GRUNDY £95.00
1 85418 250 1 • 2001
The gap
Far too few managers know how to apply project
management techniques to their strategic planning. The
result is often strategy that is poorly thought out and
executed.
The answer
Strategic project management is a new and powerful
process designed to manage complex projects by
combining traditional business analysis with project
management techniques.
For full details of any title, and to view sample

You can place an order in four ways:

1 Email: orders@thorogood.ws
2 Telephone: +44 (0)20 7749 4748
3 Fax: +44 (0)20 7729 6110
London EC2A 3DU, UK

(David Norfolk) IT Governance How To Control The (BookFi)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(David Norfolk) IT Governance How To Control The (BookFi)

Uploaded by

Copyright:

Available Formats

THOROGOOD

A SPECIALLY COMMISSIONED REPORT

A SPECIALLY COMMISSIONED REPORT

Other Thorogood Thorogood Publishing Ltd

t: 020 7749 4748

© David Norfolk 2005

No responsibility for loss

Special discounts for bulk quantities

Printed in Great Britain

1 CONTEXT: CORPORATE GOVERNANCE 1

2 EXTERNAL PRESSURES: WHAT REGULATIONS? 6

THOROGOOD PROFESSIONAL INSIGHTS

THOROGOOD PROFESSIONAL INSIGHTS

However, although this has been an immediate driver, a moment’s reflection

Ultimately, you need to be a mature organization with a measurement culture

THOROGOOD PROFESSIONAL INSIGHTS v

Management issues in IT governance

• Aligning IT strategy with business strategy.

• Providing an effective communications infrastructure that enables two-

• Providing effective low-level enforcement of business-focused govern-

• Enabling the effective identification of IT-related risk in the context of

• Providing metrics for the effectiveness of IT governance.

• Identifying a return on the investment in IT Governance in terms of

THOROGOOD PROFESSIONAL INSIGHTS vi

“Modern capitalism – the model to which virtually

What he means by ‘governance’ is the overall and rigorous supervision of

THOROGOOD PROFESSIONAL INSIGHTS 2

Corporate governance ultimately depends on the good functioning of the Board

Corporate governance is often talked about in the context of publicly quoted

THOROGOOD PROFESSIONAL INSIGHTS 3

days. However, similar considerations also apply to private companies, of course,

Which brings us to Information Technology (IT), since large amounts of infor-

IT is also increasingly a major source of risk in companies:

• IT facilitates worldwide access to internal systems, increasing the

• The scope of impact of IT systems failure can be company-wide.

• IT projects are frequently an enabler for new business; in fact, IT systems

THOROGOOD PROFESSIONAL INSIGHTS 4

• Despite the importance of IT, according to the Standish Group Chaos

IT development failures or operational failures are equally matters of corporate

• The technology is available to enforce governance policies.

• Positions and limits can be reported transparently to management.

• The calculation of settlements can be removed from the possibility of

THOROGOOD PROFESSIONAL INSIGHTS 5

Legislative changes directly affecting IT governance .....................12

General legislation with IT governance implications ......................19

“I think the reason that we are seeing an increase in ITIL®

It is a mistake to see IT Governance as purely a response to external regulatory

Unfortunately, it must be apparent that corporate governance in general has

THOROGOOD PROFESSIONAL INSIGHTS 7

Since a lack of confidence in the operational probity of commercial organiza-

THOROGOOD PROFESSIONAL INSIGHTS 8

The response to apparent governance failures

Committee of Sponsoring Organizations of the Treadway

• effective and efficient operational processes;

• reliable and truthful financial reporting processes; and

• compliance with all applicable laws and regulations.

Report of the Committee on the Financial Aspects of Corporate

THOROGOOD PROFESSIONAL INSIGHTS 9

Combined Code on Corporate Governance (UK)

Organization for Economic Co-operation and Development

Bank for International Settlements (BIS), Enhancing Corporate

THOROGOOD PROFESSIONAL INSIGHTS 10

Internal Control: Guidance for Directors on the