Van Grembergen PDF

Enterprise Governance of IT
Prof. dr. Wim Van Grembergen

Dr. Steven De Haes
University of Antwerp (UA)

University of Antwerp Management School (UAMS)
IT Alignment and Governance Research Institute (ITAG)
www.uams.be/itag
Agenda
• Enterprise Governance of IT
• Enterprise Governance of IT practices
• Enterprise Governance of IT as enabler for business / IT alignment
• Enterprise Governance of IT as enabler for business value
2
Setting the scene
“IT doesn’t matter!”

(Nicolas Carr, HBR, 2003)
3
Setting the scene
"Firms with superior IT

governance have at least
20% higher profits...than
firms with poor governance
given the same strategic
objectives."
( Louis Boyle, VP Gartner EXP, 2006)
4
IT governance definitions
IT governance is the organizational capacity exercised by the board,

executive management and IT management to control the formulation and
implementation of IT strategy and in this way ensuring the fusion of
business and IT.
(Van Grembergen, 2002)
IT governance is the responsibility of the board of directors and executive

management. It is an integral part of enterprise governance and consists of
the leadership and organizational structures and processes that ensure that
the organization’s IT sustains and extends the organization’s strategies and
objectives.
(IT Governance Institute, 2001)
5
Three layers
IT GOVERNANCE
strategic level
Board of
directors
Executive
management (CEO,
management level
CIO, …)
IT and business operational level

management
6
Moving to Enterprise Governance of IT
Enterprise governance of IT (EGIT) is an integral part of

corporate governance and addresses the definition and
implementation of processes, structures and relational
mechanisms in the organisation that enable both business
and IT people to execute their responsibilities in support of
business/IT alignment and the creation of business value
from IT-enabled business investments.
(Van Grembergen & De Haes, 2009)
7
ISO 38.500 principles for Enterprise Governance of IT
• Principle 1: Responsibility
Individuals and groups within the organization understand and accept their
responsibilities in respect of both supply of, and demand for IT. Those with
responsibility for actions also have the authority to perform those actions.
• Principle 2: Strategy
The organization’s business strategy takes into account the current and future
capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the
organization’s business strategy.
• Principle 3: Acquisition
IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing
analysis, with clear and transparent decision making. There is appropriate balance
between benefits, opportunities, costs, and risks, in both the short term and the long
term.
• Principle 4: Performance
IT is fit for purpose in supporting the organization, providing the services, levels of
service and service quality required to meet current and future business requirements.
• Principle 5: Conformance
IT complies with all mandatory legislation and regulations. Policies and practices are
clearly defined, implemented and enforced.
• Principle 6: Human Behaviour
IT policies, practices and decisions demonstrate respect for Human Behaviour, including
8 the current and evolving needs of all the ‘people in the process’.
Key assets governance
Board
Executive committee
Key assets
Human Financial Physical IP Inform. & Relationsh
assets assets assets assets IT assets ip assets
Financial governance IT governance

practices practices
9
IT Governance versus IT Management
(Peterson, 2003)
B us ine ss
O rie ntation
E xterna l
IT
G ov erna nce
overna nc e
Interna l
IT
M a na ge m ent
T im e
O rientation
P res ent Future
10
Structures, processes and relational mechanisms
Structures Processes
Roles and responsibilities, IT organisation Strategic Information Systems Planning, (IT)
structure, CIO on Board, IT strategy BSC, Information Economics, SLA, COBIT,
committee, IT steering committee(s) Val IT, ITIL, IT alignment / governance
maturity models
Enterprise governance of IT
Relational mechanisms
Active participation and collaboration between principle
stakeholders, Partnership rewards and incentives,
Business/IT co-location, Cross-functional business/IT
11 training and rotation
Structures: Roles & responsibilities
(Weill & Woodham)
IT principles IT architecture IT Roles &Business

responsibilitiesIT investment
Infrastructure (Weill & Woodham)
Application
strategies needs
Input Decision Input Decision Input Decision Input Decision Input decision
B. monarchy
IT monarchy
Feodal
Federal
Duopoly
Anarchy
Top three governance performers (achieving 4 performance

objectives, weighted by importance)
12
Structures: Principles for Enterprise
Governance of IT
• IT is a professional organization that effectively and efficiently manages its resources in

alignment with the needs of the organization.
• IT is the exclusive provider of IT services. Outsourcing is always organised in joint
partnership between business and IT.
• IT is pro-actively engaged in further developing and innovating the organization.
• IT primarly develops and maintains compentencies that are aligned to and required for
supporting the expertise available in the organization.
• The priorities within IT are aligned to the strategic goals of the organizations through
integrated planning cycles.
• All IT applications comply with rules and policies as mutually agreed upon by business
and IT
• IT is pro-actively engaged in reviewing and designing efficient business processes.
• IT and the business collaborate based on fixed agreements. Based on a scope definition,
impact analysis and capacity reviews, both business and IT committ for timely delivery
within quality requirements.
• There is transparancy on the required service quality that IT has to deliver to the
business, and this service quality is continuously monitored.
• Starting from the initial development of new business project, the potential impact on IT
needs to be analysed.
13
Structures: IT strategy committee
• a board may carry out its IT governance duties through an IT strategy committee
• the IT strategy committee has to consider:

• how the board should become involved in IT governance
• how to integrate the board’s role in IT and business strategy
• the IT strategy committee needs to offer expertise and timely advice and direction
on topics such as:
• the alignment of IT with the business directions
• the achievement of strategic IT objectives
• the availability of suitable IT resources, skills and infrastructure
• optimization of IT costs
• the role and the value delivery of external IT sourcing
• risk, return and competitive aspects of IT investments
• progress on major IT projects
• measurement of IT performance
14
Structures: IT strategy committee
•membership:
•chairman (board member)
•several board members
•IT experts as external advisors
•the IT strategy committee should work in close partnership with

•other board committees
•management committees
15
Structures: IT strategy committee versus IT steering
committee (IT Governance Institute, 2002)
• an IT strategy committee is on board level whereas an IT steering committee is

on executive level
• an IT steering committee:
• assists the executive in the delivery of the IT strategy
• oversees day-to-day management of IT service delivery and IT projects
• focuses on implementation
• membership of an IT steering committee

• sponsoring executive
• business executive (key users)
• CIO
• key advisors as required (IT, audit, legal, finance)
16
Processes: Balanced Scorecard
(Van Grembergen et al., 2002; Van Der Zee and De Jong, 1999)
• basic idea of the BSC is that traditional financial measures should be

supplemented with measures concerning customer satisfaction, internal processes,
and the ability to innovate
• the BSC, initially developed at enterprise level, can also be applied to IT and
through a cascade of business and IT scorecards integrated business and IT
management can be realized
• when using the BSC alignment method, business goals and the drivers
of business success are identified, including specific IT drivers (In this way,
IT can be integrated in the business).
• IT BSC is becoming a popular tool with its concepts widely supported and
and dispersed by consultant groups
17
Generic IT Balanced Scorecard
Corporate
Contribution
User Operational
Orientation Excellence
Future
Orientation
18
Corporate Contribution Scorecard
To enable and contribute to the achievement of business objectives

through effective delivery of value added information services.
Objective Measures Benchmark
Business/IT Alignment Operational plan/budget approval N/A
Value Delivery Measured in business unit performance N/A
Cost Management Attainment of expense and recovery targets Industry expenditure

comparisons
Attainment of unit cost targets Compass operational “Top
Performing” levels
Risk Management Results of internal audits OSFI Sound Business
Practices
Execution of Security Initiative N/A
Delivery of Disaster Recovery Assessment N/A
Inter-company Synergy Attainment of targeted integration cost Merger & Acquisition
Achievement reductions guidelines
Single system solutions N/A
Target State Architecture approval N/A
IT organization integration N/A
19
User Orientation Scorecard
To be the supplier of choice for all information services, either

directly or indirectly through supplier relationship
Objective Measures Benchmark
Competitive Costs Attainment of unit cost targets Compass operational “Top

Performing” levels
Blended labour rates Market comparisons
Development Services Major project success scores: N/A

Performance • recorded goal attainment
• sponsor satisfaction rating
• project governance rating
Operational Services Performance Attainment of targeted service levels Competitor comparisons
Customer Satisfaction Business unit survey ratings: N/A

• cost transparency and levels
• service quality and responsiveness
• value of I.S. advice and support
• contribution to business objectives
20
Operational Excellence Scorecard
To deliver timely and effective IT services at targeted service levels and

costs
Objectives Measures Benchmark
Development Process Performance Function point based measures of: TBD

• productivity
• quality
• delivery rate
Operational Process Performance Benchmark based measures of: • Selected Compass

• productivity Benchmark studies
• responsiveness
• change management effectiveness
• incident occurrence levels
Process Maturity Assessed levels of maturity and TBD (ITGI)

compliance in priority processes within:
• planning and organization
• acquisition and implementation
• delivery and support
• monitoring
Enterprise Architecture • Major project architecture approval N/A

Management • Product acquisition compliance to
technology standards
• “State of the Infrastructure”
assessment
21
Future Orientation Scorecard
To develop the internal capabilities to continuously improve performance

through innovation, learning and personal organizational growth
Objectives Measures Benchmark
Human Resource Management Results against targets:

• staff complement by skill type N/A
• staff turnover Market comparison
• staff “billable” ratio Industry standard
• professional development days per Industry standard
staff member
Employee Satisfaction Employee satisfaction survey scores in: North American technology
• compensation dependent companies
• work climate
• feedback
• personal growth
• vision and purpose
Knowledge Management Delivery of internal process N/A

improvements to “Cybrary”
Implementation of “lessons learned” N/A

sharing process
22
Cascade of scorecards
Business Objectives
IT strategic balanced scorecard
Operational Governance Development

Services Services Services
Scorecards Scorecards Scorecards
23
IS Service Desk Unit Scorecard
Roll-up to Service Level Average Speed of Answer

Performance metrics in IS Resolution Rate at Initial Call
Strategic Scorecard Call Abandonment Rate
Corporate Contribution Customer Orientation

Expense Management * Client Satisfaction *
Cost per Contact Average Speed of Answer
Cost per User Resolution Rate at Initial Call
Call Abandonment Rate
Customer Caused Incidents
IS Process Future Orientation

DS8 Process Maturity (Incident Staff Complement *
Management) Staff Turnover *
Call Volume PD Days/Staff Member *
Percent Automatically Logged Employee Satisfaction *
Incidents Implementation of Knowledge
Call Monitoring: Quality of Tickets Base Tool
& Quality of Calls
Average Number of Calls/Agent
24
* Will Aggregate as part of the I.S. Strategic Scorecard
Causal relationships
THEN THEN
Measuring up to business Ensuring effective IT

expectations governance Governance
(user orientation) (business contribution)
THEN IF
Building the foundation for

Carrying out the roles of
delivery and continuous
the IT division's mission
learning and growth
(operational excellence) (future orientation)
25
IT BSC maturity model
MATURITY LEVEL 1: There is evidence that the organization has recognized that there is a
need for a measurement system for its information technology division. There are ad hoc
approaches to measure IT with respect to the two main IT processes, i.e. operations and
systems development. This measurement process is often and individual effort in response
to specific issues.
MATURITY LEVEL 2: Management is aware of the concept of the IT balanced scorecard and
has communicated its intent to define appropriate measures. Measures are collected and
presented to management in a scorecard. Linkages between outcome measures and
performance drivers are generally defined but are not yet precise, documented or
integrated into strategic and operational planning processes. Processes for scorecard
training and review are informal and there is no compliance process in place.
MATURITY LEVEL 3: Management has standardized, documented and communicated the IT
BSC through formal training. The scorecard process has been structured and linked to
business planning cycle. The need for compliance has been communicated but compliance
is inconsistent. Management understands and accepts the need to integrate the IT BSC
within the alignment process of business and IT. Efforts are underway to change the
alignment process accordingly.
MATURITY LEVEL 4: The IT BSC is fully integrated into the strategic and operational planning
and review systems of the business and IT. Linkages between outcome measures and
performance drivers are systematically reviewed and revised based upon the analysis of
results. There is a full understanding of the issues at all levels of the organization that is
supported by formal training. Long term stretch targets and priorities for IT investment
projects are set and linked to the IT scorecard. A business scorecard and a cascade of IT
scorecards are in place and are communicated to all employees. Individual objectives of IT
employees are connected with the scorecards and incentive systems are linked to the IT
BSC measures. The compliance process is well established and levels of compliance are
high.
MATURITY LEVEL 5: The IT BSC is fully aligned with the business strategic management
framework and vision is frequently reviewed, updated and improved. Internal and external
experts are engaged to ensure industry best practices are developed and adopted. The
measurements and results are part of management reporting and are systematically acted
upon by senior and IT management. Monitoring self-assessment and communication are
pervasive within the organization and there is optimal use of technology to support
measurement, analysis, communication and training.
26
Processes: Information Economics
(Parker, M., 1996; Van Grembergen and Van Bruggen, 1997)
• the information economics method is an alignment technique whereby both

business and IT score IT projects
• this evaluation methods takes into account the ROI of a project and different
non-tangibles such as “strategic match of the project” (business evaluation)
and “match with the strategic IT architecture” (IT evaluation)
• information economics is a scoring technique resulting in a weighted total

score based on the scores for the ROI and the non-tangibles (typically scores
from 0 to 5 are attributed whereby 0 means no contribution and 5 refers
to a high contribution)
• information economics can be used as an alignment process with as objectives

to prioritize and select projects
27
28
Processes: COBIT and VALIT as frameworks
for Enterprise Governance of IT
Enterprise Governance of IT
COBIT Val IT
Focus on IT processes - on IT related business processes
Foucs
Focus
29
PO1. define a strategic IT plan
Business and PO2. define the information architecture
Governance PO3. determine technological direction
COBIT Framework Objectives PO4. define the IT processes, organization and relationships
PO5. manage the IT investment
PO6.communicate management aims and direction
PO7. manage IT human resources
PO8. manage quality
PO9. assess and manage risk
INFORMATION PO10. manage projects
ME1. monitor and evaluate IT performance
ME2. monitor and evaluate internal control Criteria
ME3. ensure regulatory compliance •• effectiveness
effectiveness
•• efficiency
efficiency
ME4. provide IT governance •• confidentiality
confidentiality
•• integrity
integrity
•• availability
availability
•• compliance
compliance
•• reliability
reliability
MONITOR AND PLANNING AND

EVALUATE ORGANISATION
IT RESOURCES
•• data
data
•• application
application systems
systems
•• Infrastructure
Infrastructure
•• people
people
DS1. define and manage service levels

DS2. manage third party services
DS3. manage performance and capacity
DS4. ensure continuous service DELIVERY AND ACQUISITION AND
DS5. ensure systems security SUPPORT IMPLEMENTATION
DS6. identify and allocate costs
DS7. educate and train users
DS8. manage service desk and incidents AI1. identify automated solutions
DS9. manage the configuration AI2. acquire and maintain application software
DS10. manage problems AI3. acquire and maintain technology infrastructure
DS11. manage data AI4. enable operation and use
DS12. manage the physical environment AI5. procure IT resources
30 operations
DS13.manage AI6. manage changes
AI7. install and accredit solutions and changes
The Major Elements of COBIT
p High-level and detailed Control Objectives

p Management Guidelines
p Inputs – outputs
p RACI chart
p Goals and metrics
pMaturity models
p Assurance Guidelines – Implementation Guidelines
31
COBIT Control
Objectives
Example: Detailed Control Objectives
for Manage Changes (AI6)
AI6.1 Change Standards and Procedures
Set up formal change management procedures to handle in a standardised manner all
requests (including maintenance and patches) for changes to applications, procedures,
processes, system and service parameters, and the underlying platforms.
AI6.2 Impact Assessment, Prioritisation and Authorisation

Ensure that all requests for change are assessed in a structured way for impacts on the
operational system and its functionality. This assessment should include categorisation and
prioritisation of changes. Prior to migration to production, changes are authorized by the
appropriate stakeholder.
AI6.3 Emergency Changes

Establish a process for defining, raising, assessing and authorising emergency changes that
do not follow the established change process. Documentation and testing should be
performed, possibly after implementation of the emergency change.
AI6.4 Change Status Tracking and Reporting

Establish a tracking and reporting system for keeping change requestors and relevant
stakeholders up to date about the status of the change to applications, procedures,
processes, system and service parameters, and the underlying platforms.
AI6.5 Change Closure and Documentation

Whenever system changes are implemented, update the associated system and user
documentation and procedures accordingly. Establish a review process to ensure complete
implementation of changes.
33
COBIT - IT Control
Practices
DS8.1 Service Desk
Establish a service desk function, which is the user interface with IT, to register, communicate, dispatch
and analyse all calls, reported incidents, service requests and information demands. There should be
monitoring and escalation procedures based on agreed-upon service levels relative to the appropriate
SLA that allow classification and prioritisation of any reported issue as an incident, service request or
information request. Measure end users’ satisfaction with the quality of the service desk and IT services.
1. Establish a service desk as a single, initial point of contact for the reporting, monitoring, escalation
and resolution of customer requests and incidents. Develop business requirements for the service
desk, based on service definitions and SLAs, including hours of operation and expected response
time to a call. Ensure that service desk requirements include identifying staffing, tools and
integration with other processes, such as change management and problem management.
2. Ensure that there are clear instructions for service desk staff when a request cannot be immediately
resolved by service desk personnel. Establish time thresholds to determine when escalation should
occur based on the categorisation/prioritisation of the request or incident.
3. Implement the necessary support software and tools (e.g., incident management, knowledge
management, incident escalation systems, automated call monitoring) required for operation of the
service desk and configured in accordance with SLA requirements, to facilitate automated
prioritisation of incidents and rapid resolution.
4. Advise customers of the existence of the service desk and the standards of service they can expect.
Obtain user feedback on a regular basis to ensure customer satisfaction and confirm the
effectiveness of the service desk operation.
5. Using the service desk software, create service desk performance reports to enable performance
34
monitoring and continuous improvement of the service desk.
COBIT
Management Guidelines
Inputs –Outputs
35
Each process has primary inputs
and outputs with process linkages
Inputs
Outputs
Mission and Goals
Understanding of the Strategic Plan
business context,
capability and PO1 Tactical Plan
Project Portfolio
capacity
Business Strategy Service Portfolio
Risk Appetite
36
COBIT
Management Guideline
RACI Chart
37
RACI chart providing
roles and
CEO
responsibilities
CARS
CFO Business CIO

Executive
Head of
Business Head of Chief Head of
IT Admin PMO
Sr Management Operations Architect or CTO Development
HR, Fin, etc
PO1
38
COBIT
Management Guideline
Goals and metrics
39
Example: Goals and metrics
40
COBIT
Maturity models
41
Example: Maturity Model
0 Non-existent when
There is no defined change management process and changes can be made with virtually no control. There is no awareness
that change can be disruptive for IT and business operations, and no awareness of the benefits of good change management.
1 Initial/ Ad Hoc when
It is recognised that changes should be managed and controlled. Practices vary and it is likely that unauthorised changes take
place. There is poor or non-existent documentation of change, and configuration documentation is incomplete and unreliable.
Errors are likely to occur together with interruptions to the production environment caused by poor change management.
2 Repeatable but Intuitive when
There is an informal change management process in place and most changes follow this approach; however, it is
unstructured, rudimentary and prone to error. Configuration documentation accuracy is inconsistent and only limited planning
and impact assessment takes place prior to a change.
3 Defined Process when
There is a defined formal change management process in place, including categorisation, prioritisation, emergency
procedures, change authorisation and release management, and compliance is emerging. Workarounds take place and
processes are often bypassed. Errors may still occur and unauthorised changes occasionally occur. The analysis of the impact
of IT changes on business operations is becoming formalised, to support planned rollouts of new applications and
technologies.
4 Managed and Measurable when
The change management process is well developed and consistently followed for all changes, and management is confident
that there are minimal exceptions. The process is efficient and effective, but relies on considerable manual procedures and
controls to ensure that quality is achieved. All changes are subject to thorough planning and impact assessment to minimise
the likelihood of post-production problems. An approval process for changes is in place. Change management documentation
is current and correct, with changes formally tracked. Configuration documentation is generally accurate. IT change
management planning and implementation are becoming more integrated with changes in the business processes, to ensure
that training, organisational changes and business continuity issues are addressed. There is increased co-ordination between
IT change management and business process redesign. There is a consistent process for monitoring the quality and
performance of the change management process.
5 Optimised when
The change management process is regularly reviewed and updated to stay in line with good practices. The review process
reflects the outcome of monitoring. Configuration information is computer-based and provides version control. Tracking of
changes is sophisticated and includes tools to detect unauthorised and unlicensed software. IT change management is
integrated with business change management to ensure that IT is an enabler in increasing productivity and creating new
business42opportunities for the organisation.
Val IT: Projects, Programmes, Portfolios
and Value
Value – the end business outcome expected from an IT-enabled business
investment where such outcomes may be financial, non-financial or a
combination of the two.
Portfolio – a suite of business
programmes managed to optimise
overall enterprise value
Portfolio
Management Programme – a structured grouping of
projects that are both necessary and
sufficient to achieve a business outcome
and deliver value, including business
Programme change management, business
Management processes, people, etc. (primary unit of
investment within VALIT)
Project
Management Project – a structured set of activities
concerned with delivering a defined
capability based on an agreed
schedule and budget (that is necessary
but not sufficient to achieve a required
business outcome)
43
Val IT - Relationship between
Processes & Practices
Establish Governance Establish informed and committed

leadership
Define and implement processes Define portfolio types
Framework for Value

Align and integrate Value Establish effective governance Implement lessons learned
Management (VG) Management with enterprise financial
planning
monitoring
Establish strategic direction and target Determine availability and sources of Human Resource Management
investment mix funding
Manage the Investment
Portfolio (PM) Evaluate and select programmes to
fund
Monitor and report on portfolio
performance
Optimise portfolio performance
Develop and evaluate initial Understand candidate programme Develop the programme plan Develop full life cycle costs and
programme concept business case and implementation options benefits
Develop detailed candidate Launch and manage the programme Update operational IT portfolios
Manage the Investments programme business case
( I M) Update the business case Monitor and report on the programme Retire the programme
44
VG processes
• VG01 Establish informed and committed leadership:

- VG01.1 Develop an understanding of significance of IT and role of
governance
- VG01.2 Establish effective reporting lines
- VG01.3 Establish a leadership forum
- VG01.4 Define value for the enterprise
- VG01.5 Ensure alignment and integration of business and IT strategies
with key business goals
• VG02 Define and implement processes:
- VG02.1 Define the value governance framework
- VG02.2 Assess the quality and coverage of current processes
- VG02.3 Identify and prioritise process requirements
- VG02.4 Define and document processes
- VG02.5 Establish, implement and communicate roles, responsibilities and
accountabilities
- VG02.6 Establish organisational structures
• VG03 Define portfolio characteristics:
- VG03.1 Define portfolio types
- VG03.2 Define categories (within portfolios)
- VG03.3 Develop and communicate evaluation criteria (for each category)
- VG03.4 Assign weightings to criteria
45 - VG03.5 Define requirements for stage-gates and other reviews (for each
category)
Example
VG01.1 Develop an understanding of significance of IT and role of governance
Low to high need for reliable information technology
Factory Mode Strategic Mode
Support Mode Turnaround Mode
Low to high need for new information technology

46 Nolan R., McFarlan F.W., 2005, Information Technology and Board
of Directors, Harvard Business Review
Example
Investment budget
VG03.2 Define categories (within portfolios) Major business enablement
+/- 33%
and infrastructure budget
eg. implementation SAP
Continuity budget
Upgrade or enhancement of
Increased control +/- 50%
ICT basic budget

Increased sales existing applications +/- 33%
Better information Competitive advantage eg. implementation of specific
Better integration Competitive necessity reporting due to legal requirements
Improved quality Market positioning
Maintenance budget
Innovative services
Informational Strategic Break/fix projects under eight
+/- 33%
man weeks
eg. creation of new screens
Cut costs
Increased throughput Transactional Production budget +/- 50%
Business integration
Business flexibility and agility
Reduced marginal costs of
business unit’s IT
KBC
Infrastructure
Reduced IT costs over time
Standardization
Weill
Change The Rule
Win The Race
Stay In The Race
47
McKinsey
Example
VG03.3 Develop and communicate evaluation criteria

(for each category)
H 1 1 2 2 3 H 1 1 1 2 3
Project class
Project class
MH 1 1 2 3 4 MH 1 1 2 3 4
PROJECT
PROJECT M 1 2 3 3 4 M 1 1 2 4 4
CLASS
BASIC CRITERIA
CLASS
ML 1 2 3 4 5 ML 1 1 3 4 5
PROFITA
NUMBER
BILITY: L 1 2 3 4 5 L 1 2 4 5 5
OF
PAY COMPETITIVE OPERATIONAL DECISION
PLANNED
BACK ADVANTAGE URGENCY SUPPORT L ML M MH H L ML M MH H
MAN
TIME
DAYS
(YEARS) Profitablity Competitive advantage
DIRECT
REACTION ON
IMPROVE
EXTREME H 1 1 1 2 5 H 1 1 1 1 1
PERFORMANCE
OPERATIONAL HIGH IMPACT
Project class
Project class
SIGNIFICANTLY
RISK, CHANGED SUPPORT MH 1 1 2 3 5 MH 1 1 1 1 2
ON CUSTOMER
HIGH > 2000 < 1.5 LEGAL OR FOR KEY
KEY BUYING
OPERATIONAL DECISION M 1 1 2 3 5 M 1 1 1 2 3
FACTORS FOR
ENVIRONMENT, MAKERS
STRATEGIC
SEGMENTS
EXTREME ML 1 1 3 4 5 ML 1 1 2 3 4
MAINTENANCE
RISK L 1 2 3 4 5 L 1 2 3 4 5
IMPROVE L ML M MH H L ML M MH H
PERFORMANCE OTHER
ELIMINATE
MEDI ON CUSTOMER SUPPORT Operational urgency Decision support
1000 – CRITICAL
UM 1.5 – 2.5 KEY BUYING FOR KEY
2000 OPERATIONAL
HIGH FACTORS FOR DECISION
HANDICAPS
OTHER MAKERS
SEGMENTS
A 5 points on at least one criterion
IMPROVE
PERFORMANCE REDUCE WEEK HIGH IMPACT Accept, high priority
MEDI SLIGHTLY ON POINTS IN FOR OTHER
500 – 1000 2.5 – 4
UM CUSTOMER KEY CURRENT MANAGEMEN
BUYING OPERATIONS T
B 4 points on profitability or 3 points on at least two criteria
FACTORS
IMPROVE ONGOING Accept
AVOID SMALL
MEDI PERFORMANCE SUPPORT
PROBLEMS IN
UM 200 – 500 4–6 ON OTHER FOR OTHER
LOW BUYING
OPERATIONAL
MANAGEMEN
C 3 points on profitability or total of 7 points
USAGE
FACTORS T
NO IMPACT Accept if resources available
ON
NO IMPACT ON
MANAGEMEN
LOW < 200 >6 COMPETITIVE NO URGENCY
T D 3 points on one criterion
POSITION
EFFECTIVEN
ESS
Accept only if subcontractable
E All other projects
48 Decline
Sidmar-Arcelor
VG processes
• VG04 Align and integrate Value Management with enterprise financial planning:
- VG04.1 Review current enterprise budgeting practices
- VG04.2 Determine Value Management financial planning practice
requirements
- VG04.3 Identify changes required
- VG04.4 Implement optimal financial planning practices for Value
Management
• VG05 Establish effective governance monitoring:
- VG05.1 Identify key metrics
- VG05.2 Define information capture processes and approaches
- VG05.3 Define reporting methods and techniques
- VG05.4 Identify and monitor performance improvement actions
• VG06 Continuously improve Value Management practices
- VG06.1 Implement lessons learnt
49
PM processes
• PM01 Establish strategic direction and target investment mix:

- PM 1.1 Review and ensure clarity of business strategy and goals
- PM 1.2 Identify opportunities for IT to support and influence the business
strategy
- PM 1.3 Define appropriate investment mix
- PM 1.4 Translate business strategy and goals into IT strategy and goals
• PM02 Determine the availability and sources of funds:
- PM02.1 Determine overall investment funds
• PM03 Manage availability of human resources:
- PM03.1 Create and maintain an inventory of business human resources
- PM03.2 Understand the current and future demand (for business human
resources)
- PM03.3 Identify shortfalls (between current and future business human
resource demand)
- PM03.4 Create and maintain tactical plans (for business human resources)
- PM03.5 Monitor, review and adjust (business function allocation and
staffing)
- PM03.6 Create and maintain an inventory of IT human resources
- PM03.7 Understand the current and future demand (for IT human
resources)
- PM03.8 Identify shortfalls (between current and future IT human resource
demand)
50 - PM03.9 Create and maintain tactical plans (for IT human resources)
- PM03.10 Monitor, review and adjust (IT Function allocation and staffing)
51
Business Goals
Risk management
Reducing transaction cost
Reducing operational cost
Improving competitiveness through IT
Shortening service development lifecycle

Post-merger integration and consolidation
Improving customer orientation and service
Tailoring solutions for different target groups

Achieving compliance with Basel II regulations
P
S
P
P
D
ev
e
in lop
f o in
rm g
P
at in
io no IT
Fu n
lf i se vat Go
S
P
P
S
goals into IT strategy and goals
llin cu ive als

g rit IT
In SL y se
cr
ea A 's rv
S
S
P
P
P
si w ic
In n g ith es
te IT b w
ith
gr d e
us
i a
de at n
PM 1.4 Translate business strategy and
pa ion pa es fo
rt m s cu
P
S
S
S
rtm a de s
e nd en
IT nt co t p a
on
di s ns e f rtm
fic
S
S
P
S
S
S
S
P
S
sa ol ie en
st id n ts
IT er at cy
re io
go n
P
ve co of
r v e di
IT na ry ffe
m nc a re
e
S
P
P
ea nd nt
Lo
su /I
T b us IT
re
w s st
r in
to
S
P
P
P
er at es
in eg s
M g sa
tis i c co
ak co
f a l nt
in st y ig in
S
P
S
S
S
g o B n m ui
IT f t as ty
O ra e en
pt m n lI t
im ea sa Ir
P
P
iz s c t
eq
R in ur io ui
ap g a bl n re
th e pr
id e
P
P
S
oc men
de IT es ts
R ve in si
ed lo f r n g
S
S
P
S
uc pm ast
in r u
St g en ct
ex to ur
an
te fn e
da
rd r na ew
Example
is ls IT
in ta
g f f se
IT rv
sy ic
st es
em
s
PM processes
• PM04 Evaluate and select programmes to fund:

- PM 4.1 Evaluate and assign relative scores to programme business cases
- PM 4.2 Create overall investment portfolio view
- PM 4.3 Make and communicate investment decisions
- PM 4.4 Specify stages-gate and allocate funds to selected programmes
- PM 4.5 Adjust business targets, forecasts and budgets
• PM05 Monitor and report on investment portfolio performance
- PM 5.1 Monitor and report on portfolio performance
• PM06 Optimise investment portfolio performance
- PM 6.1 Optimise portfolio performance
- PM 6.2 Reprioritise the portfolio
52
Example
PM 4.1 Evaluate and assign relative scores to programme

business cases
Scoring investeringsdossiers Waardecategorie Risico's

ATS Trekk. Pnr Naam dossier
organisatorisch
Projectrisico &
Ondersteuning
Aansluiting op
ATS
Vermindering
management
operationele
onzekerheid
onzekerheid
architectuur
voordeel en
Functionele
Technische
Rendement
Competitief
Informatie
Noodzaak
noodzaak
strategie
risico's
risico
Investeringsdossiers
Doorlopende dossiers in 2004
RET MKT 0020 Intrest and liquidity risk (ALM_TDI) 1 5 4 5 5 5 5 2 5 5
OND OND 0021 Quantitative Credit Risk Management (QCR) 4 5 5 5 5 5 1 4 5 5
RET RET 0119 KBD : Multikanalen krediettoep. aan particulieren 4 5 4 3 3 5 5 2 1 1
RET RET 0202 KIT 4 5 4 4 3 3 5 3 1 3
RET RET 0232 Oleander (totaaloplossing Leven Ondernemingen) 1 5 5 1 3 5 3 3 1 2
NAV NAV 0245 Collateral Management Fase 2 5 3 3 1 3 5 5 3 3 4
BED BED 0292 Bankwijd Web-enablen van ICMtoepassingen 4 5 5 1 3 1 1 4 1 3
NAV NAV 0397 IPE / EBOBA 1 5 4 1 3 5 3 4 5 4
NAV NAV 0399 Verwerking OTC Derivaten 4 5 4 4 3 5 4 1
RET RET 0403 VA Front-end Leven
RET RET 0406 Product fabriek Schadeverzekeringen 2 5 4 1 1 5 3 4 1 3
OND OND 0442 Operationeel Risicobeheer 5 5 5 5 5 3 5 3 3 3
RET RET 0449 Herwerken cliënten output 5 5 4 5 1 5 5 3 5 2
OND OND 0456 IAS Verzekeringen 4 5 4 5 5 3 3 4 5 3
OND OND 0479 Beperking van de volatiliteit onder IAS 1 5 3 5 5 3 1 4 5 2
OND OND 0501 ERP voor ondersteunende diensten B+V
RET RET 0518 OFS (Ontwikkeling Financiele Services) 4 5 4 1 3 5 5 3 1 3
Nieuwe
RET RET 0308 Migratie Centea 1 5 3 1 5 5 3 3 1 3
OND OND 0480 Reconciliatietool 1 5 1 3 3 5 1 3 3
RET RET 0884 Pleander Voorstudie Particulieren leven anders 1 5 5 2 3 5 3 2 5 2
OND OND 0887 Europese Spaarfiscaliteit 1 5 4 3 3 5 4 5 1
53 OND OND 0899 ERP - Fase 2 1 5 5 5 5 3 5 4 5 3
Geel Groen Rood

Example
PM 4.2 Create overall investment portfolio view
10
Proceed Program 21
Program 13
9
Program 03
8
Program 24
Program 19
Program 02
Program 17
Financial Worth
7 Program 09
6
Hold Program 01
vs.
Program 06
5
Program 23 Program 08 Risk
Program 11
4
Legend
3 Program
Stop
Financial Worth
Right Things Confirmed Benefits

2
Program 16
1 Right Way Done Well
Program 12 Program 07
Program 15
Green = “Are” Risk score between 1 & 3.9
0
10 9 8 7 6 5 4 3 2 1 0 Yellow = “Are” Risk score between 4 & 6.9
Overall Risk Red = “Are” Risk score between 7 & 10
54
Source: Fujitsu
IM processes
• IM01 Develop and evaluate initial programme concept business case:

- IM01.1 Recognise investment opportunities
- IM01.2 Develop initial programme concept business case
- IM01.3 Evaluate initial programme concept business case
• IM02 Understand the candidate programme and implementation options:
- IM02.1 Develop a clear and complete understanding of the candidate
programme
- IM02.2 Perform alternatives analysis
• IM03 Develop the programme plan:
- IM03.1 Develop a programme plan
• IM04 Develop full life-cycle costs and benefits:
- IM04.1 Identify full life-cycle costs and benefits
- IM04.2 Develop benefits realisation plan
- IM04.3 Perform appropriate reviews and obtain sign-offs
• IM05 Develop the detailed candidate programme business case:
- IM05.1 Develop detailed programme business case
- IM05.2 Assign clear accountability and ownership
- IM05.3 Perform appropriate reviews and obtain sign-offs
55
IM04.1
Identify full
life-cycle
costs and
benefits
56
Example
We are here on the Journey

IM04.2 Develop
benefits realisation
plan
(example of a web2.0
programme)
Programme Operational & ISACA

Outputs/ Business Outcomes Intermediate
End Benefits Strategic
Capability Changes Benefits
Objectives
Example - Enhanced Example – Example –Create

Example -More Example ISACA
web & Business Process Expanded access to
Automated Processes, Improved Strategy Map
E – commerce Reengineering Knowledge &
Less outages Online self E.G A07
System e.g. Registration, Networking
Exams & Help, reduced Enhance
Faster search Opportunities
certification Calls for help Community
engine
Reducing costs Experience
LEGEND – Output describes a feature or enables a new outcome

Outcome is the desired operational result
57 is the measurement of an outcome and describes an advantage accruing from the outcome .
Benefit
An End Benefit is a direct contribution to a strategic objective.
Example
1. Cover sheet
Programme name
Business sponsor
Programme manager
Revision notes
Validation signatures
Approval signature IM05.1 Develop detailed
programme business case
2. Executive summary
Programme context
Name
Business ssponsor
Track record of management team
Category of investment
Programme description/profile
Synopsis of business case assessment
Programme contribution (value)
Programme timing (schedule)
Risk, financial return and alignment scores
Dependencies
Key risks
Comparative value summary
3. Are we doing the right things? (Why?)

Financial benefits (full economic life cycle, best case, worst case, most likely case)
Financial costs (full economic life cycle, full IT and business costs, best case, worst case, most likely case)
Non-financial benefits (alignment)
Non-financial (alignment, efficiency) costs
Risk analysis (key risks and mitigation strategies)
58
Organisational change impact
Impact of not doing the programme - Opportunity cost
Example
4. Are we doing things the right way? (What and How?)
Alternative approaches
Selected approach
High-level analytic mode
Programme milestones
Critical success factors
Programme dependencies
Enterprise architecture compliance
Security policy compliance IM05.1 Develop detailed
Key risks programme business case
5. Are we doing things well? (How?)
Programme execution plan
High-level benefits realisation plan
Risk management
Change management
Governance structure (controls)
Key risks
6. Are we getting the benefits?

Description of benefits (projected life, full economic life cycle, best case, worst case, most likely, or base, case)
High-level benefits register
Financial benefits
Key risks
7. Appendices
Detailed analytic model
Detailed project plan
Detailed risk management plan
59 benefits realisation plan
Detailed
Full benefits register
IM processes
• IM06 Launch and manage the programme:

- IM06.1 Plan projects, resource and launch the programme
- IM06.2 Manage the programme
- IM06.3 Track and manage benefits
• IM07 Update operational IT portfolios:
- IM07.1 Update operational IT portfolios
• IM08 Update the business case:
- IM08.1 Update the business case
• IM09 Monitor and report on the programme:
- IM09.1 Monitor and report on programme (solution delivery) performance
- IM09.2 Monitor and report on business (benefit/outcome) performance
- IM09.3 Monitor and report on operational (service delivery) performance
• IM10 Retire the programme:
- IM10.1 Retire the programme
60
VALIT Management Guidelines
From Inputs Outputs To
*
PM1
High-level business requirements
Appropriate investment mix
Initial business case
Initial business case approval
IM2
IM3
COBIT PO1COBIT PO5 COBIT AI1
IM4 IM6 COBIT PO1 COBIT PO10
Inputs /
IM1 Initial business case COBIT AI1
COBIT PO1 IT services portfolio
COBIT PO5 IT cost-benefit estimates
outputs
COBIT PO9 Risk assesment
urit isk,
r
Functions
ns o
es
R
y
Spo
t
nt
nt
ent
nt
dit nce,
and tmen
Boa ervic
e
Off geme
Off geme
Off geme
Ma amm
Ma amm
em
Sec
ess
Ma ess
er
plia
Ma ct
rd
rd
nag
nag
es
S
ice
ice
ice
e
sin
sin
gr
gr
na
na
na
je
Activities
CE O
alu
Com
Bo a
CFO
Inv
CIO
Pro
Pro
Pro
Ma
Au
Bu
Bu
V
Create an environment that fosters and welcomes new ideas and
R A/R R R
acknowledges their champions.
Suggest new opportunities. R A/R R R R R R R
Capture opportunities for investment programmes to create value
in support of the business strategy or to address operational or C C C R C R A/R
compliance issues.
Categorise the opportunity. Clarify expected business outcome(s)
and identify, at a high level, business, process, people,
C R C C A/R
technology and organisational initiatives required to achieve the
expected outcomes.
Determine which opportunities to pursue further or examine in
more depth, and identify and assign a business sponsor for each C C C C C C A/R C
opportunity to be pursued.
Describe the business outcome(s) to which the potential
programme will contribute, the nature of the programme’s C C C A R R
contribution, and how the contribution would be measured.
Identify high-level initiatives that might be required to achieve
these outcomes.
Estimate the high-level benefits, both financial and non-financial,

C
C C
C
C
A
A
R
R
R
R
RACI
and the costs for the full economic life cycle of the programme.
State any key assumptions and identify key risks, along with their
potential impact on current and future business operations, and C C R A R R
mitigation strategies.
Document the initial programme concept business case with
C A R
information obtained.
Review and evaluate the initial programme concept business
C C C A R R R
case.
Determine whether the programme should proceed to full
C C C A R R R
programme definition and evaluation.
Obtain CIO approval and sign-off on the technical aspects of the
I R A R
initial programme concept business case.
Obtain business sponsor approval and sign-off on overall initial
programme concept business case. I A R
ACTIVITIES PROCESS IM
• An environment that fosters and • Individuals throughout the enterprise • Ensure that the enterprise’s
captures new ideas exists. suggest new investment opportunities. individual IT-enabled investments
• A process and responsibilities for • Ideas are collected, understood and contribute to optimal value.
submission and categorisation of new categorised correctly for the
ideas exist and are used. investment portfolio.
• Champions of new ideas that are • Good ideas are selected efficiently
GOALS
adopted are rewarded. and expediently for further study.

• Outlines of potential business • Good ideas are assigned business
initiatives and their outcomes are sponsors.
identified.
• High-level benefits and costs are
• Documented initial concept business
cases with outcomes, benefits, Goal &
identified for potential investment. assumptions, costs and risks are
• Significant risks, and assumptions
and mitigation plans are documented.
prepared.
• The content of initial programme
metrics
• Number of suggestions • Percentage of ideas accepted to be • Contribution of individual IT-enabled
• Percentage of champions rewarded developed into initial programme investments to optimal value
• Consistency and compliance of concept business cases
assessments and assumptions with • Number of new ideas per investment
enterprise’s processes and practices category
METRICS
• Elapsed time between approval to • Number of ideas trying to bypass

prepare initial programme concept enterprise’s processes and practices
business case and sign-offs being • Number and percentage of sign-offs
obtained obtained without resubmission
61 • Age and backlog of non-processed

ideas
• Number of programme concept
• Number and percentage of
programme concept business cases
that continue to full business case
business cases considered development
Role Suggested definition
Board The group of the most senior executives and/or non-executives of the enterprise,
who are accountable for the governance of the enterprise and have overall control Roles & Responsibilities
of its resources
Business sponsor The individual accountable for delivering benefits and value to the enterprise from
(incl. service an IT-enabled business investment programme
owner)
Business unit Business individuals with roles with respect to a programme
executives /
managers
Compliance, audit, The function(s) in the enterprise responsible for compliance, audit, risk and security
risk and security
(CARS)
Chief Executive The highest ranking officer, who is in charge of the total management of the
Officer (CE0) enterprise
Chief Financial The most senior official of the enterprise, who is accountable for financial planning,
Officer (CF0 record keeping, investor relations and financial risks
Chief Information The most senior official of the enterprise, who is accountable for IT advocacy;
Officer (CIO) aligning IT and business strategies; and planning, resourcing and managing the
delivery of IT services and information, and the deployment of associated human
resources
Investment and A management structure primarily accountable for managing the enterprise’s
services board portfolio of investment programmes and existing/current services and, thus,
(ISB) managing the level of overall funding to provide the necessary balance between
enterprise-wide and specific line-of-business needs
Head of Human The most senior official of an enterprise who is accountable for planning and
Resources policies with respect to all human resources in that enterprise
Programme The individual responsible for the achievement of the programme’s objectives
Manager
Programme The function responsible for supporting programme managers and gathering,
Management assessing and reporting information about the conduct of their programmes and
Office (PgMO) constituent projects
Project The function for supporting project managers; defining and propagating
Management standardised methodologies; and gathering, assessing and reporting information
Office (PMO) about the conduct of their projects
Value The function that acts as the secretariat for the ISB in managing investment and
Management service portfolios, including assessing and advising on investment opportunities and
Office (VMO) business cases, value governance/management methods and controls, and
reporting on progress in sustaining and creating value from investments and
62 services
(Peterson, 2003)
• Effective communications and knowledge sharing
• Active participation and collaboration of principle

stakeholders
• Partnership rewards and incentives
• Business/IT collocation
• Cross-functional business/IT training and job rotation
• IT leadership
•…
63
IT governance international benchmarking
IT governance implementation status
(“IT governance global status report”, ITGI, 2008)

64
IT governance implementation
by industry
(“IT governance global status report”, ITGI, 2008)

65
Agenda
66
Implementation of EGIT in practice
Requires:
A holistic set of Structures Processes
• Governance Processes
Enterprise governance of IT
• Structures
• Relational Mechanisms
at all 3 layers of the organization.
67
12 structures
“a list of 33 EGIT
practices based on
delphi research”
11 processes
10 relational mechanisms
68
EGIT: Practices identified & defined structures: 12 practices
Best Practice Definition Level

B E/S
Committee at level of board of directors to ensure IT is
IT strategy committee at level of board of directors regular agenda item and reporting issue for the board of x
directors
Members of the board of directors have expertise and
IT expertise at level of board of directors x
experience regarding the value and risk of IT
Independent committee at level of board of directors over
(IT) audit committee at level of board of directors x
viewing (IT) assurance activities
CIO on executive committee CIO is a full member of the executive committee x
CIO (Chief Information Officer) reporting to CEO
(Chief Executive Officer) and/or COO (Chief CIO has a direct reporting line to the CEO and/or COO x
Operational Officer)
Steering committee at executive or senior management
IT steering committee (IT investment evaluation /
Level responsible for determining business priorities in IT x
prioritisation at executive / senior management level)
investments.
69
EGIT: Practices identified & defined structures: 12 practices

B E/S
Function in the organisation responsible for promoting,
IT governance function / officer x
driving and managing IT governance processes
Function responsible for security, compliance and/or risk,
Security / compliance / risk officer x
which possibly impacts IT
Steering committee composed of business and IT people
IT project steering committee x
focusing on prioritising and managing IT projects
Steering committee composed of business and IT people
IT security steering committee x
focusing on IT related risks and security issues
Committee composed of business and IT people providing
Architecture steering committee x
architecture guidelines and advise on their applications.
Documented roles & responsibilities include
Integration of governance/alignment tasks in roles &
governance/alignment tasks for business and IT people x x
responsibilities
(cf. Weill)
70
EGIT: Practices identified & defined processes: 11 practices

B E/S
Strategic information systems planning Formal process to define and update the IT strategy x x
IT performance measurement in domains of corporate

IT performance measurement (e.g. IT balanced
contribution, user orientation, operational excellence and x x
scorecard)
future orientation
Portfolio management (incl. business cases, Prioritisation process for IT investments and projects in
x x
information economics, ROI, payback) which business and IT is involved (incl. business cases)
Charge back arrangements - total cost of ownership Methodology to charge back IT costs to business units, to
x
(e.g. activity based costing) enable an understanding of the total cost of ownership
Formal agreements between business and IT about IT

Service level agreements x
development projects or IT operations
71
EGIT: Practices identified & defined processes: 11 practices

B E/S
IT governance framework COBIT Process based IT governance and control framework x
Regular self-assessments or indepent assurance activities
IT governance assurance and self-assessment x x
on the governance and control over IT
Processes and methodologies to govern and manage IT

Project governance / management methodologies x
projects
Processes to control and report upon budgets of IT

IT budget control and reporting x x
investments and projects
Processes to monitor the planned business benefits during

Benefits management and reporting x x
and after implementation of the IT investments / projects.
COSO / ERM Framework for internal control x x
72
EGIT: Practices identified & defined relational mechanisms:
10 practices

B E/S
IT staff working in the business units and business people
Job-rotation x
working in IT
Physically locating business and IT people close to each

Co-location x
other
Training business people about IT and/or training IT

Cross-training x
people about business
Systems (intranet, …) to share and distribute knowledge

Knowledge management (on IT governance) about IT governance framework, responsibilities, tasks, x x
etc.
Bridging the gap between business and IT by means of

Business/IT account management x
account managers who act as in-between
73
EGIT: Practices identified & defined relational mechanisms:
10 practices

B E/S
Executive / senior management giving the good
Senior business and IT management acting as "partners" x
example
Informal meetings, with no agenda, where business and IT
Informal meetings between business and IT
senior management talk about general activities, x
executive/senior management
directions, etc. (eg. during informal lunches)
Ability of CIO or similar role to articulate a vision for IT's
IT leadership role in the company and ensure that this vision is clearly x x
understood by managers throughout the organization
Corporate internal communication addressing IT on a Internal corporate communication regularly addresses
x x
regular basis general IT issues.
Campaigns to explain to business and IT people the need
IT governance awareness campaigns x x
for IT governance
74
Perceived effectiveness of EGIT practices
IT steering committee (IT investment evaluation / prioritisation)

CIO reporting to CEO and/or COO
CIO on executive committee
IT budget control and reporting
Portfolio management (incl. business cases, information economics, ROI, payback)
Project governance / management methodologies
IT project steering committee
IT performance measurement (e.g. IT balanced scorecard)
IT leadership
Executive / senior management giving the good example
Strategic information systems planning
Informal meetings betw een business and IT executive/senior management
Business/IT account management
IT strategy committee at level of board of directors
Service level agreements
Corporate internal communication addressing IT on a regular basis
IT governance framew ork COBIT
Charge back arrangements - total cost of ow nership (e.g. activity based costing)
Security / compliance / risk officer
Know ledge management (on IT governance)
Integration of governance/alignment tasks in roles&responsibilities
(IT) audit committee at level of board of directors
IT expertise at level of board of directors
Architecture steering committee
IT governance function / officer
Benefits management and reporting
IT governance aw areness campaigns
IT security steering committee
Cross-training
Co-location
IT governance assurance and self-assessment
Job-rotation
COSO / ERM
0,0 0,5 1,0 1,5 2,0 2,5 3,0 3,5 4,0 4,5 5,0
75
0 = not effective, 5 = very effective
Perceived ease of implementation of EGIT practices
CIO reporting to CEO and/or COO
Security / compliance / risk officer
IT project steering committee
Informal meetings betw een business and IT executive/senior management
Corporate internal communication addressing IT on a regular basis
IT security steering committee
(IT) audit committee at level of board of directors
IT strategy committee at level of board of directors
IT steering committee (IT investment evaluation / prioritisation)
IT governance aw areness campaigns
Service level agreements
IT governance function / officer
Co-location
IT leadership
Cross-training
Know ledge management (on IT governance)
Portfolio management (incl. business cases, information economics, ROI, payback)
IT governance framew ork COBIT
Job-rotation
Charge back arrangements - total cost of ow nership (e.g. activity based costing)
IT expertise at level of board of directors
COSO / ERM
0,0 0,5 1,0 1,5 2,0 2,5 3,0 3,5 4,0 4,5
76 0 = not easy to implement,,

5 = very easy to implement
IT governance practices Key minimum baseline
that are highly effective IT governance practices
but difficult to implement
High
4,9
4,8
4,7 S6
4,6
4,5 S1 IT strategy committee at level of board of directors S5
4,4 S2 IT expertise at level of board of directors S4
4,3 S3 (IT) audit committee at level of board of directors
4,2
4,1
4
S4
•IT steering committee
CIO (Chief Information Officer) reporting to CEO (Chief Executive P3
P2
P8 P9
S9
S5 Officer) and/or COO (Chief Operational Officer)
3,9
3,8
3,7
S6 •IT project steering
IT steering committee (IT investment evaluation / prioritisation at
executive / senior management level)
R8/R6
P1 R5 S1 R7
S7 IT governance function / officer
committee
3,6
3,5
S8 Security / compliance / risk officer P5
S9 IT project steering committee
3,4 R9
3,3 S10 IT security steering committee P6/P4 S8
3,2
3,1
S11
S12 •Having the CIO
S2
S12 R4
S11
S3
3 P1
2,9
2,8
P2
reporting to the CEO
Portfolio management (incl. business cases, information economics,
P10
P7
S7
R3 R2 R10 S10
Effectiveness
2,7 P3 ROI, payback)

2,6
2,5
2,4
P4
P5
•Project management
Charge back arrangements - total cost of ownership (e.g. activity based
costing)
Service level agreements P11 R1
2,3 IT governance practices
2,2
2,1
P6
P7
P8
methodologies
IT governance framework COBIT
that are highly effective
2
and easy to implement
1,9
1,8
1,7
P9
P10
P11
•Portfolio management
COSO / ERM
1,6
1,5
1,4
R1
R2
R3
• IT budget control and
Job-rotation
Co-location
Cross-training
IT governance practices
whose value is
1,3
1,2
1,1
R4
R5
R6
reporting
Knowledge management (on IT governance)
challenged
1 Informal meetings between business and IT executive/senior
0,9
0,8
R7
R8
•IT leadership
management
IT leadership
0,7
R9 Corporate internal communication addressing IT on a regular basis
0,6 IT governance awareness campaigns
R10
0,5
0,4
0,3
Low
0,2
0,1
0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 1,0 1,1 1,2 1,3 1,4 1,5 1,6 1,7 1,8 1,9 2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7 2,8 2,9 3,0 3,1 3,2 3,3 3,4 3,5 3,6 3,7 3,8 3,9 4,0 4,1 4,2 4,3 4,4 4,5 4,6 4,7 4
77
Difficult to implement
Ease of implementation Easy to implement
Assignment
EGIT practices in a case organisation
78
Organisation
Maturity Rationale
IT strategy committee at level of board of directors 0 1 2 3 4 5
IT expertise at level of board of directors 0 1 2 3 4 5
(IT) audit committee at level of board of directors 0 1 2 3 4 5
CIO on executive committee 0 1 2 3 4 5
CIO reporting to CEO and/or COO 0 1 2 3 4 5
IT steering committee (IT investment evaluation / prioritisation at executive / senior management level) 0 1 2 3 4 5
IT governance function / officer 0 1 2 3 4 5
Security / compliance / risk officer 0 1 2 3 4 5
IT project steering committee 0 1 2 3 4 5
IT security steering committee 0 1 2 3 4 5
Architecture steering committee 0 1 2 3 4 5
Integration of governance/alignment tasks in roles&responsibilities 0 1 2 3 4 5
Strategic information systems planning 0 1 2 3 4 5
IT performance measurement (e.g. IT balanced scorecard) 0 1 2 3 4 5
Portfolio management (incl. business cases, information economics, ROI, payback) 0 1 2 3 4 5
Charge back arrangements - total cost of ownership (e.g. activity based costing) 0 1 2 3 4 5
Service level agreements 0 1 2 3 4 5
IT governance framework COBIT 0 1 2 3 4 5
IT governance assurance and self-assessment 0 1 2 3 4 5
Project governance / management methodologies 0 1 2 3 4 5
IT budget control and reporting 0 1 2 3 4 5
Benefits management and reporting 0 1 2 3 4 5
COSO / ERM 0 1 2 3 4 5
Job-rotation 0 1 2 3 4 5
Co-location 0 1 2 3 4 5
Cross-training 0 1 2 3 4 5
Knowledge management (on IT governance) 0 1 2 3 4 5
Business/IT account management 0 1 2 3 4 5
Executive / senior management giving the good example 0 1 2 3 4 5
Informal meetings between business and IT executive/senior management 0 1 2 3 4 5
IT leadership 0 1 2 3 4 5
Corporate internal communication addressing IT on a regular basis 0 1 2 3 4 5
IT governance awareness campaigns 0 1 2 3 4 5
79
Other practices
General remarks
Assignment
Assess the “As-Is” and “To-Be” EGIT situation in your organisation
0 Non-existent
There is a complete lack of any recognisable IT Governance process.
1 Initial/ad hoc
The organisation has recognised that IT Governance issues exist and need
to be addressed.
2 Repeatable but intuitive
There is awareness of IT Governance objectives, and practices are
developed and applied by individual managers.
3 Defined process
The need to act with respect to IT Governance is understood and
accepted. Procedures have been standardised, documented and
implemented.
4 Managed and measurable
IT Governance evolves into an enterprise-wide process and IT
Governance activities are becoming integrated with the enterprise
governance process.
5 Optimised
Enterprise governance and IT Governance are strategically linked,
leveraging technology and human and financial resources to increase the
competitive advantage of the enterprise.
80
Agenda
81
Business/IT Alignment
• Research concerning difficulties experienced by organisations

while aligning business and IT.
- Expression barriers (lack of direction in business strategy)

- Specification barriers (lack of IT involvement in strategy
development)
- Implementation barriers (difficult integration of legacy
systems)
82
• Henderson and Venkatraman (SAM model)
External
Business
Business
Strategy IT Strategy
Strategy
Strategic fit
Internal
Organizational
Infrastructure and IS infrastructure
IS infrastructure
and processesand
processes processes
Business Information Technology

Functional Integration
83
Strategic Alignment
(Henderson and Venkatraman, 1993)
Business IT
External
strategy strategy
Strategic fit
Operational IT
Internal infrastructure infrastructure
and processes and processes
Functional integration
84
Strategic Alignment model
Business strategy as the driver: strategy execution alignment perspective

Business strategy is articulated and is the driver
of both organizational and IT infrastructure design
Business IT
External
strategy strategy
Strategic fit
Operational IT
85
Business strategy as the driver: technology transformation alignment perspective

Implementing the chosen business strategy through appropriate
IT strategy and required IT infrastructure and processes
Business IT
External
strategy strategy
Strategic fit
Operational IT
86
IT strategy as the enabler: service level alignment perspective

Focuses on how to build a world-class IT service organization
Business IT
External
strategy strategy
Strategic fit
Operational IT
87
• Maes (extension SAM model)

information/
business communication technology
strategy
structure
operations
88
Assignment
Business / IT alignment assessment through business goals / IT

goals
89
Assignment: linking business goals to IT goals
90
91
Business Goals
Risk management
Reducing transaction cost
Reducing operational cost
Improving competitiveness through IT
Shortening service development lifecycle

Post-merger integration and consolidation
Improving customer orientation and service
Tailoring solutions for different target groups

Achieving compliance with Basel II regulations
P
S
P
P
D
ev
e
in lop
f o in
rm g
P
at in
io no IT
Fu n
lf i se vat Go
S
P
P
S
llin cu ive als
g rit IT
In SL y se
cr
ea A 's rv
S
S
P
P
P
si w ic
In n g ith es
te IT b w
ith
gr d e
us
i a
de at
pa n es fo
pa ion
rt m s cu
P
S
S
S
rtm a de s
e nd en
IT nt co t p a
on
di s ns e f rtm
fic
S
S
P
S
S
S
S
P
S
sa ol ie en
st id n ts
IT er at cy
re io
go n
P
ve co of
r v e di
IT na ry ffe
m nc a re
e
S
P
P
ea nd nt
Lo
su /I
T b us IT
re
w s st
r in
to
S
P
P
P
er at es
in eg s
M g sa
tis i c co
ak co
f a l nt
in st y ig in
S
P
S
S
S
g o B n m ui
IT f t as ty
O ra e en
pt m n lI t
im ea sa Ir
P
P
iz s c t
eq
R in ur io ui
ap g a bl n re
th e pr
id e
P
P
S
oc men
de IT es ts
R ve in si
ed lo f r n g
S
S
P
S
uc pm ast
in r u
St g en ct
ex to ur
an
te fn e
da
rd r na ew
Linking business goals – IT goals
is ls IT
in ta
g f f se
IT rv
sy ic
st es
em
s
Aligning business goals and IT goals
• UAMS-ITAG/ITGI research:
- Previous research
• 20 business goals and 28 IT goals
• Across multiple sectors
- This study
• Validate business and IT goals
• Gain insight in priorities for different sectors
• Examine relationship between IT goals and business goals
92
• Delphi methodology:
- Structured process for collecting and distilling knowledge
from a group of experts by means of several research
rounds.
• 158 business and IT people
• 5 sectors
- Manufacturing and pharmaceuticals, IT professional services,
telecommunications and media, government, utilities and
healtcare, and retail and transportation.
93
94
TOP 10 PRIORITIZED LIST OF BUSINESS GOALS TOP 10 PRIORITIZED LIST OF IT GOALS

1. IMPROVE CUSTOMER ORIENTATION AND 1. ALIGN THE IT STRATEGY TO THE BUSINESS
SERVICE STRATEGY
2. COMPLY WITH EXTERNAL LAWS AND 2. MAINTAIN THE SECURITY (CONFIDENTIALITY,
REGULATIONS INTEGRITY AND AVAILABILITY) OF
3. ESTABLISH SERVICE CONTINUITY AND INFORMATION AND PROCESSING
AVAILABILITY INFRASTRUCTURE
4. MANAGE (IT RELATED) BUSINESS RISKS 3. MAKE SURE THAT IT SERVICES ARE RELIABLE
5. OFFER COMPETITIVE PRODUCTS AND AND SECURE
SERVICES 4. PROVIDE SERVICE OFFERINGS AND SERVICE
6. IMPROVE AND MAINTAIN BUSINESS PROCESS LEVELS IN LINE WITH BUSINESS
FUNCTIONALITY REQUIREMENTS
7. PROVIDE A GOOD RETURN ON INVESTMENT 5. PROVIDE IT COMPLIANCE WITH LAWS AND
OF (IT ENABLED) BUSINESS INVESTMENTS REGULATIONS
8. ACQUIRE, DEVELOP AND MAINTAIN SKILLED 6. TRANSLATE BUSINESS FUNCTIONAL AND
AND MOTIVATED PEOPLE CONTROL REQUIREMENTS IN EFFECTIVE AND
9. CREATE AGILITY IN RESPONDING TO EFFICIENT AUTOMATED SOLUTIONS
CHANGING BUSINESS REQUIREMENTS 7. DELIVER PROJECTS ON TIME AND ON BUDGET
10. OBTAIN RELIABLE AND USEFUL MEETING QUALITY STANDARDS
INFORMATION FOR STRATEGIC DECISION 8. DRIVE COMMITMENT AND SUPPORT OF
MAKING EXECUTIVE MANAGEMENT
9. IMPROVE IT’S COST-EFFICIENCY
10. ACCOUNT FOR AND PROTECT ALL IT ASSETS
95
ts
en
m
g
st
in
ve
ak
in
m
t
s
n
es
on
e
m
pl
va usin
si
ire
o
ity
ci
pe
de
ns
iv
b
eq
en ity
ct
d
tio
d)
ic
e
du
(IT nal
le
g
la
n
e
s
ab
ro
gu
si
io
ne
t
i
ra
ot
fp
y
bu
ct
re
si
r
st
m
en f u n
ve
af
bu
ity
d
nd
r
d
es
st
e
fo
an
i
el
an
l
ic
ss
ta
i
g
es
b
i
nd
ge
d
of
ic
n
rv
n
s
la
ce
io
uc
d
ic
l
e
w
se
ng
la
po
an
t
ai
le
c
rv
at
a
ro
od
s
vi
av
na
ha
ch
l
rm
se
d
al
k
sk
tm
p
er
st
l
pr
an
ris
cy
io
rn
us t o c
d
co
ss
fo
n
ss
d
es
in
n
at
r
te
e
n
s
of
in
n
te
ne
e
a
re
ag
v
es
s
a
r
io
an h i n
n
g
e
nt
in
ex
es
tim ful
n
si
pa
s
at
si
n
op
an
t
in
tio
ai
i
ct
i
u
on
oc
bu
e
nt
nd
th
it
us
ns
m
in
b
u
m
w
a
in
ie
pr
i
od
is
t
w
po
n
n
b
tra
ge
on
ta
d
y
or
ur
ai
nd
n
d)
an e s s
nc
an e pr
y
n
s
na
nt
c
a
et
nc
l
re
er
ai
te
de ncia
v e le a
a
op
e
op
ai
e
r
m
in
i
ia
om
v
ic
pl
in
bl
M
d
m
l
iti
s
s
pl
el
re
rv
st
b
o
om
d
na
bu
ov oal
ty
et
st
ia
d
go
m
ev
an
in
co
se
IT
i
cu
,e
l
co
c
f
re
. O agi
,d
. E ise
Im s G
om
a
(
e
h
ify
le
ov
ov
e
e
lis
n
e
re
im
ov
ag
ie
rc
ai
vi
1. es
nt
pr
pr
b
at
na
i
qu
ch
bt
pt
ro
ov
ov
pr
pr
ta
an
de
ffe
in
m
re
.O
;A
.P
Es
Ac
Im
Pr
Pr
.I
.I
.I
M
us
C
IT Goals
10
11
12
13
14
15
16
17
2.
3.
4.
5.
6.
7.
8.
9.
B
1. Align the IT strategy to the business strategy P S S P P P S S P P S S P S S S P
2. Maintain the security (confidentiality, integrity and avaliability) of information and processing infrastructure P P P P S S P
3. Make sure that IT services are reliable and secure P P P P S S S S S S S S
4. Provide service offerings and service levels in line with business requirements P P S P P S S S S S S S S S
5. Provide IT compliancy with laws and regulations S P P S S S P
6. Translate business functional and control requirements in effective and efficient automated solutions S S S S P S S S S S S S S S
7. Deliver projects on time and on budget meeting quality standards S S S S S S S S S S
8. Drive commitment and support of executive management S S S S S S S S S S
9. Improve IT’s cost-efficiency S P P P S
10. Account for and protect all IT assets S S S S S S
11. Acquire, develop and maintain IT skills that respond to the IT strategy S S P S S S S S
12. Provide IT agility (in responding to changing business needs) S S S S P P S
13. Offer transparency and understanding of IT cost, benefits and risks S S S S P
14. Optimise the IT infrastructure, resources and capabilities S S P S P S S
15. Accomplish proper use of applications, information and technology solutions S S S S S S S S S S S S S
16. Seamlessly integrate applications and technology solutions into business processes S S P S S S S S S S S
17. Ensure that IT demonstrates continuous improvement and readiness for future change S S S P S P
18. Acquire knowledge and expertise in emerging technologies for business innovation and optimisation S S P S S S S P
96
Luftman assessment of business/IT alignment maturity
• Validated instrument
• Used in many studies to assess business/IT alignment
• 6 attributes
- Communications maturity
- Competency/value measurements maturity
- Governance maturity
- Partnership maturity
- Scope & architecture maturity
- Skills maturity
97
attribute characteristics level 1 characteristic level 5
•communications maturity
• understanding of business by IT minimum pervasive
• understanding of IT by business minimum pervasive
• inter/intra-organizational learning casual, ad hoc strong and structured
• protocol rigidity command and control informal
• knowledge sharing ad hoc extra-enterprise
• liaison(s) breath/effectiveness none or ad hoc extra-enterprise
• competency/value measurements maturity

• IT metrics technical extended to external partners
• business metrics ad hoc extended to external partners
• balanced metrics ad hoc, unlinked business, partner and IT metrics
• service level agreements sporadically present extended to external partners
• benchmarking not generally practiced routinely performed with partners
• formal assessments/reviews none routinely performed
• continuous improvement none routinely performed
• governance maturity
• business strategic planning ad hoc integrated across & external
• IT strategic planning ad hoc integrated across & external
• reporting/organization structure CIO reports to CFO CIO reports to CEO
central/decentral federated
• budgetary/control cost center, erratic investment center, profit center
• IT investment management cost based, erratic business value
• steering committee(s) not formal, regular partnership
• prioritization process reactive value added partner
98
attribute characteristics level 1 characteristic level 5
•partnership maturity
• business perception of IT value IT perceived as a cost IT co-adapts with business
• role of IT in strategic business planning no seat at business table co-adaptive with business
• shared goals, risk, rewards/penalties IT takes risk risks and rewards shared
• IT program management ad hoc continuous improvement
• relationship/trust style conflict/minimum valued partnership
• business sponsor/champion none at the CEO level
• scope & architecture maturity
• traditional, enabler/driver traditional systems business strategy driver/enabler
• standards articulation none or ad hoc inter-enterprise standards
• architectural integration: no formal integration evolve with partners
• functional organization integrated
• enterprise standard enterprise architecture
• inter-enterprise with all partners
• architectural transparency, flexibility none across the infrastructure
• skills maturity
• innovation, entrepreneurship discouraged the norm
• locus of power in the business all executives, including CIO
• management style command and control relationship based
• change readiness resistant to change high, focused
• career crossover none across the enterprise
• education, cross-training none across the enterprise
• attract & retain best talent no program effective program for
99
Example questions
(partnership maturity)
IT is perceived by the business as:

1 A cost of doing business
2 Emerging as an asset
3 A fundamental enabler of future business activity
4 A fundamental driver of future business activity
5 A partner for the business that co-adapts/improvises in bringing value to the firm
6 N/A or don’t know
The following statements are about the IT and business relationship and trust.
1 There is a sense of conflict and mistrust between IT and the business.
2 The association is primarily an “arm’s length” transactional style of relationship.
3 IT is emerging as a valued service provider.
4 The association is primarily a long-term partnership style of relationship.
5 The association is a long-term partnership and valued service provider.
The following statements are about the cultural locus of power in making IT-based
decisions. Our important IT decisions are made by:
1 Top business management or IT management at the corporate level only
2 Top business or IT management at corporate level with emerging functional unit level
influence
3 Top business management at corporate and functional unit levels, with
emerging shared influence from IT management
4 Top management (business and IT) across the organization and emerging
influence from our business partners/alliances.
5 Top management across the organization with equal influence from our
business partners/alliances.
100
101
0
0,5
1
1,5
2
2,5
3
3,5
4
4,5
5
tra R
et
ns ai
H p l
ot or
el
/e t at
io
nt
er n
ta
in
m
en
Se t
rv
ic
es
In
su
M ra
an nc
uf e
ac
tu
ri n
g
H
ea
l th
C
he
m
ic
al
Fi
na
G nc
ia
Alignment
ov
er l
O n m
il/ en
G t
as
/M
in
in
g
Ph U
til
ar iti
m es
ac
eu
ti c
Ed al
uc
at
io
na
l
O
ve
ra
ll
Av
er
ag
e
Business / IT alignment international benchmark
Business / IT alignment Belgian benchmark
• Result of alignment benchmark research

• 10 Belgian financial enterprises:
Organis Number of employees in

ation Belgium Main activities
A More than 1000 Banking and Insurance
B Between 100 and 1000 Banking and Insurance
C More than 1000 Banking
D More than 1000 Banking
E More than 1000 Banking and Insurance
F More than 1000 Financial transaction services
G Between 100 and 1000 Banking and Insurance
H Between 100 and 1000 Baking and Insurance
I More than 1000 Banking and Insurance
J More than 1000 Banking and Insurance
102
Business / IT alignment Belgian benchmark
Number of Average Average

Total
Organis Total number Number of IT business maturity score maturity score Alignment Deviation from
ation of respondents respondents respondents by IT by business Delta maturity Score average
A 9 5 4 2,06 2,14 -0,07 2,10 -0,59 -22%
B 5 3 2 2,27 2,00 0,27 2,16 -0,52 -19%
C 9 3 6 2,59 2,55 0,05 2,56 -0,12 -5%
D 6 3 3 2,98 2,35 0,64 2,67 -0,02 -1%
E 9 5 4 2,69 2,74 -0,05 2,71 0,03 1%
F 8 3 5 3,15 2,46 0,69 2,72 0,04 1%
G 10 5 5 2,75 2,73 0,03 2,74 0,06 2%
H 9 6 2 2,89 2,95 -0,06 2,91 0,22 8%
I 8 5 4 3,23 2,97 0,26 3,11 0,43 16%
J 11 6 5 3,09 3,26 -0,17 3,17 0,48 18%
Total Total Total Average

84 44 40 G 2,69
F
<< A B C D E H I J >>
1,0 1,1 1,2 1,3 1,4 1,5 1,6 1,7 1,8 1,9 2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7 2,8 2,9 3,0 3,1 3,2 3,3 3,4 3,5 3,6 3,7 3,8 3,9 4,0
103
The relationship between EGIT practices and business / IT
alignment
• Research on extreme cases

• Interviews/workshops to Organization Interviewees
define maturity of 33 Adjunt-director Organization

governance practices A Department
Service delivery manager
Director Organization Department
B CEO
Change Manager
Head IT Governance
I
Head IT Development
Head Project Management Office
J CIO
Head Accounting
104
Defining maturity of 33 EGIT practices
0 Non-existent
There is a complete lack of any recognisable IT Governance process.
1 Initial/ad hoc
The organisation has recognised that IT Governance issues exist and need
to be addressed.
2 Repeatable but intuitive
There is awareness of IT Governance objectives, and practices are
developed and applied by individual managers.
3 Defined process
The need to act with respect to IT Governance is understood and
accepted. Procedures have been standardised, documented and
implemented.
4 Managed and measurable
IT Governance evolves into an enterprise-wide process and IT
Governance activities are becoming integrated with the enterprise
governance process.
5 Optimised
Enterprise governance and IT Governance are strategically linked,
leveraging technology and human and financial resources to increase the
competitive advantage of the enterprise.
105
A B I J P5 0 0 2 4
S1 0 0 0 0 P6 0 0 1 4
S2 4 1 0 1 P7 1 0 1 1
S3 3 3 3 3 P8 2 3 3 4
S4 2 5 2 0 P9 1 2 4 5
S5 2 5 4 5 P10 0 1 1 3
S6 2 2 4 4 P11 0 0 0 0
S7 2 0 4 4 R1 1 0 1 2
S8 2 3 4 5 R2 5 2 3 3
S9 2 2 4 4 R3 2 0 2 1
S10 0 0 0 4 R4 3 3 4 4
S11 0 0 1 3 R5 2 0 0 4
S12 2 1 2 5 R6 2 2 5 5
P1 1 2 1 4 R7 2 0 0 0
P2 1 2 4 4 R8 1 4 4 4
P3 1 2 4 4 R9 2 0 2 3
P4 0 0 2 5 R10 1 1 1 1
1,48 1,39 2,21 3,12
106
The relationship between EGIT and business/IT alignment
G
F
Business/IT << A B C D E H I J >>
alignment maturity 1,8 1,9 2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7 2,8 2,9 3,0 3,1 3,2 3,3 3,4 3,5 3,6
4,00
3,50
3,00
J
Maturity of IT I
2,50
governance B
2,00
1,50
practices A
1,00
0,50
0,00
Structures Processes Relational
mechanisms
107
The relationship between EGIT and business / IT alignment
• Maturity averages
• Clear gap between A-B and I-J
3,5
3
2,5
2
1,5
1
0,5
0
A B I J
108
6
Extreme cases analysis
5 EGIT practices versus
business / IT alignment
4
3,5
J
3 3
A
2,5
2
2 Average IT goverance
practices maturity
1 1,5
1
0 6
0,5
S1 S4 S5 S6 S9 P1 P3 P80 P9 R8
A B I J
5
4,00
3,50 4
3,00
J
2,50 J
I
2,00 3
B A
1,50
A
1,00
0,50 2
0,00
Structures Processes Relational
1 mechanisms
0
109
P11
P10
R10
S10
S11
S12
R5
R6
R7
R9
R2
R3
R4
R8
R1
P9
P3
P4
P5
P6
P7
P8
P1
P2
S9
S2
S3
S7
S8
S1
S4
S5
S6
Agenda
110
From enterprise governance of IT to
business value
Enterprise enables Business / IT enables Business value

governance of IT alignment from IT investments
111
Business/IT alignment and
Business Value from IT
• Why is alignment important to an

organization’s success?
- Research from Chan and
Bergeron: impact of alignment
on business performance is
higher than impact of business
strategy or IT strategy
- Productivity paradox
(Brynjolfson)
112
What is the relationship between organizational performance
and IT governance practices based on COBIT 4.1 and Val IT
2.0?
Research scope and model
• Research model and metrics use the available concepts from COBIT and
Val IT.
• Three research constructs
- COBIT and Val IT processes
measured by the implementation status of 34 COBIT processes
and 22 Val IT processes
- Technical, operational and business capabilities
measured by the achievement status of 18 IT goals
- Business Outcome
measured by the achievement status of 17 business goals and 3
Val IT goals
113
Questionnaire - Sample question
114
IT and Business Governance Practices Reserach Model
COBIT Processes Val IT processes
measured by measured by
Processes implementation Processes implementation
status status
COBIT and Val IT Processes
Technical Capability Operational Capability

IT related Business capability
measured by
IT Goals achievement IT Goals achievement
IT goals achievement status
status status
IT Goals
Business Outcome
Measured by
Business Goals achievement status
Business Goals
115
Research questions
• RQ1: Does the implementation of COBIT processes and Val IT

processes have an impact on the achievement of IT goal
capabilities (technical, operational and business capabilities)?
• RQ2: Which subset of COBIT and Val IT processes impacts the

capabilities the most?
• RQ3: Do the IT goal capabilities have an impact on the

achievement of business outcome (business goals)?
• RQ4: Which IT goal capabilities impact business outcome most?
• RQ5: Ultimately, does a cascaded relationship exists between

the COBIT/Val IT governance practices, the intermediate
capabilities (IT goals), and the business outcome (business
goals)? .
116
Research questions
• RQ6: what is the implementation status of COBIT and Val IT

processes, spread over different sectors, company sizes and
regions
• RQ7: what is the degree of achievement for IT goals and

business goals, spread over different sectors, sizes and
regions
• RQ8: Are the detailed business goals – IT goals – IT

processes matrices as published in COBIT 4.1 confirmed?
117
Key findings
• The research model cascade is validated:

1. A strong correlation between the implementation of COBIT and
VALIT and the achievement of IT goals
2. A strong correlation between the achievement of IT goals and
the achievement of business goals
• Operational oriented processes are better implemented than
planning, monitoring and value related processes.
• Implementation status of the COBIT and Val IT frameworks is
typically higher in
- Larger organisations
- Organisations from the Financial, Manufacturing and Retail
sector
- European and North American organisations.
• Knowing-Doing Gap: Organisations are aware of the
importance of IT goals such as ‘Align the IT strategy to the
business strategy’ but in practice do not manage to achieve
them in a proper way.
• New empirically researched data is available to further develop
the IT governance body of knowledge and its related
frameworks COBIT and Val IT
118
The validated research cascade model
COBIT and Val IT Processes

IT and Business Governance Practices
COBIT Processes Val IT processes
Processes implementation Processes implementation
status status
1
IT Goals
Technical Capability Operational Capability
IT related Business capability
measured by
IT Goals achievement IT Goals achievement
IT goals achievement status
status status
2
Business Goals
Business Outcome
Measured by
Business Goals achievement status
119
Implementation status IT processes
• Operational oriented processes (AI and DS) are better

implemented than planning (PO) monitoring (ME)
processes.
• COBIT processes are better implemented than Val IT
processes
3,50
3,40
3,30
3,20
3,10
3,00
2,90
2,80
2,70
2,60
2,50
COBIT COBIT COBIT COBIT COBIT Val IT Val IT Val IT VAL IT
PO AI DS ME Total VG PM IM Total
120
Knowing-doing gap
• Comparing achievement results (this study) and importance

results (previous study)
• Differences confirm knowing-doing gap
- IT goal ‘Align the IT strategy to the business strategy’ was
ranked as the most important goal (rank 1) in previous
research but only ranked 7th regarding actual achievement
status
- IT goal ‘provide IT compliance with laws and regulations’ was
ranked on the 5th place in terms of importance, but received
the highest rank for achievement status
121
Summary - High impact
implemented processes / achieved
IT goals relation
• 7 high impact COBIT processes

• 5 high impact Val IT processes
• 4 high impacted IT Goals
High impact COBIT processes High impact Val IT processes

- Define a Strategic IT plan (PO1) - Define and Implement Processes (VG2)
- Manage the IT investment (PO5) - Establish Effective Governance Monitoring (VG5)
- Communicate Management Aims and Direction (PO6) - Continuously Improve Value Management
- Assess and manage IT risks (PO9) Practices (VG6)
- Identify Automated Solutions (AI1) - Establish Strategic Direction and Target
- Acquire and Maintain Application Software (AI2) Investment Mix (PM1)
- Acquire and Maintain Technology Infrastructure (AI3) - Update Operational IT Portfolios (IM7)
High impacted IT Goals

- Align the IT strategy to the business strategy (IT_Corp6)
- Provide service offerings and service levels in line with business requirements (IT_User1)
- Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1)
- Ensure that IT demonstrates continuous improvement and readiness for future change (IT_Fut3)
122
Summary - High impact
achieved IT goals / achieved
Business Goals relation
• 8 high impact IT Goals
• 6 high impacted Business Goals
High impact IT Goals

- Improve IT’s cost-efficiency (IT_Corp5)
- Align the IT strategy to the business strategy (IT_Corp6)
- Translate business functional and control requirements in effective and efficient automated solutions (IT_User3)
- Accomplish proper use of applications, information and technology solutions (IT_User4)
- Provide IT agility (in responding to changing business needs) (IT_Oper4)
- Seamlessly integrate applications and technology solutions into business processes (IT_Oper5)
- Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1)
- Ensure that IT demonstrates continuous improvement and readiness for future change (IT_Fut3)
Highly impacted Business Goals

–-Achieve cost optimisation of service delivery (B_Cust4)
–-Obtain reliable and useful information for strategic decision making (B_Cust6)
–-Improve and maintain business process functionality (B_Int1)
–-Improve and maintain operational and staff productivity (B_Int2)
–-Enable and Manage business change (B_Int3)
–-Optimise business process costs (B_Int5)
123
Input COBIT 4.1 development
Mapping COBIT 4.1 / correlation
matrix business goals – IT Goals
124
Input COBIT 4.1 development
Mapping COBIT 4.1 / correlation
matrix IT goals – COBIT processes
125
• Questions and discussion
• More information
- IT Governance and Alignment Research Institute

• www.uams.be/ITAG
- Email
• Wim.vangrembergen@ua.ac.be
• Steven.dehaes@ua.ac.be
- Books
• Van Grembergen W., De Haes S., Implementing
Information Technology Governance: models,
practices and cases, 255p., IGI Publishing, 2008
• Van Grembergen W., De Haes S., Enterprise
Governance of IT: achieving strategic alignment and
value, 360p., Springer, 2009
- International Journal on IT/Business Alignment

and Governance (IJITBAG)
• www.igi-global.com/IJITBAG
126

Van Grembergen PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Van Grembergen PDF

Uploaded by

Copyright:

Available Formats

Enterprise Governance of IT

Prof. dr. Wim Van Grembergen

University of Antwerp (UA)

• Enterprise Governance of IT practices

• Enterprise Governance of IT as enabler for business / IT alignment

• Enterprise Governance of IT as enabler for business value

“IT doesn’t matter!”

"Firms with superior IT

IT governance is the organizational capacity exercised by the board,

IT governance is the responsibility of the board of directors and executive

IT and business operational level

Enterprise governance of IT (EGIT) is an integral part of

(Van Grembergen & De Haes, 2009)

Financial governance IT governance

IT principles IT architecture IT Roles &Business

Top three governance performers (achieving 4 performance

• IT is a professional organization that effectively and efficiently manages its resources in

• the IT strategy committee has to consider:

•the IT strategy committee should work in close partnership with

• an IT strategy committee is on board level whereas an IT steering committee is

• membership of an IT steering committee

• basic idea of the BSC is that traditional financial measures should be

To enable and contribute to the achievement of business objectives

Objective Measures Benchmark

Business/IT Alignment Operational plan/budget approval N/A

Value Delivery Measured in business unit performance N/A

Cost Management Attainment of expense and recovery targets Industry expenditure

To be the supplier of choice for all information services, either

Objective Measures Benchmark

Competitive Costs Attainment of unit cost targets Compass operational “Top

Blended labour rates Market comparisons

Development Services Major project success scores: N/A

Operational Services Performance Attainment of targeted service levels Competitor comparisons

Customer Satisfaction Business unit survey ratings: N/A

To deliver timely and effective IT services at targeted service levels and

Objectives Measures Benchmark

Development Process Performance Function point based measures of: TBD

Operational Process Performance Benchmark based measures of: • Selected Compass

Process Maturity Assessed levels of maturity and TBD (ITGI)

Enterprise Architecture • Major project architecture approval N/A

To develop the internal capabilities to continuously improve performance

Objectives Measures Benchmark

Human Resource Management Results against targets:

Knowledge Management Delivery of internal process N/A

Implementation of “lessons learned” N/A

IT strategic balanced scorecard

Operational Governance Development

Roll-up to Service Level Average Speed of Answer

Corporate Contribution Customer Orientation

IS Process Future Orientation

Measuring up to business Ensuring effective IT

(user orientation) (business contribution)

Building the foundation for

(operational excellence) (future orientation)

• the information economics method is an alignment technique whereby both

• information economics is a scoring technique resulting in a weighted total

• information economics can be used as an alignment process with as objectives

MONITOR AND PLANNING AND

DS1. define and manage service levels

p High-level and detailed Control Objectives

AI6.2 Impact Assessment, Prioritisation and Authorisation

AI6.3 Emergency Changes

AI6.4 Change Status Tracking and Reporting