Professional Documents
Culture Documents
management program
CHAPTER 5
- manage the performance of IT
IT Governance and Strategy - ensure the delivery of IT value
- make certain of regulatory compliance and
Based on 5th version of COBIT, governance ensures adequate implementation of internal
that controls.
- stakeholder needs, conditions, and options IT Governance Frameworks
are evaluated to determine balanced,
agreed-on enterprise objectives are These three frameworks provide organizations with
achieved; the means to address different angles within the IT
- setting direction through prioritization and arena:
decision making; and
1. IT Infrastructure Library (ITIL)
- monitoring performance and compliance
- Developed by the UK’s Cabinet Office of
against agreed-on direction and objectives
Government Commerce (OGC)
These have set the bar corporate governance: - A library of best practice processes for IT
service management.
- Sarbanes-Oxley Act of 2002 (SOX) - Provides guidelines for best practices in the
- Committee of Sponsoring Organizations of IT services management field.
the Treadway Commission (COSO) - ITIL’s service management environment
- Combined Code on Governance in the effectively and efficiently delivers business
United Kingdom services to end-users and customers by
- Co-Operation and Development Principles of adhering to five core guidelines:
Corporate Governance in Europe Strategy – guidelines or best practice
COBIT processes to map the IT strategy with
overall business goals and objectives.
- Has become the global standard for Design – best practice processes or
governance and controls for IT requirements implemented to guide
- Provides a framework for implementing IT toward a solution designed to meet
controls to comply with SOX and other global business needs.
governance standards. Transition – aims to managing change,
Strategy is a formal vision to guide in the acquisition, risk, and quality assurance during the
allocation, and management of resources to fulfill deployment of an IT service.
the organization’s objectives. Operation – guidelines or best practice
processes put in place to maintain
IT strategy includes the future direction of adequate and effective IT services once
technology in fulfilling the organization’s objectives. implemented into the production
environment.
IT governance provides the structure and direction
Continuous improvement – constantly
to achieve the alignment of the IT strategy with the
looks for ways to improve the overall
business strategy.
process and service provision.
IT Governance – Alignment of IT with Business - ITIL is chosen when the goal of the
Objectives organization is to improve the overall quality
of the IT management services.\this
A close partnership between IT and business
framework assists in creating IT services that
management results to IT governance maturity and
can effectively help to manage daily tasks,
a higher return on IT investment.
particularly when the focus is on either
Close alignment of IT strategy with the business customer or end-user.
strategy is essential to the success of well-
functioning partnership.
2. Control Objectives for Information and
It is important for the organization to understand the
Related Technologies
business it supports and for the business to
- IT governance framework that helps
understand the technology it uses.
organizations meet today’s business
The Chief Information Officer (CIO) and IT challenges in the areas of regulatory
management must first seek to understand the compliance, risk management, and
business issues and offer proactive solutions to the alignment of the IT strategy with
organization’s needs. organizational goals.
- An authoritative, international set of
IT management must also have a clear generally accepted IT practices or control
understanding of their current strengths and objectives
weaknesses and be able to communicate this - Helps employees, managers, executives,
information to the business management. and auditors in understanding IT systems,
IT governance provides the structure to: discharging fiduciary responsibilities, and
deciding adequate levels of security and
- achieve the alignment of IT activities and controls.
processes with business objectives
- Supports the need to research, develop, assessing, and continually improving
publicize, and promote up-to-date an information security management
internationally accepted IT control system. These requirements are
objectives. generic and are intended to be
- Primary emphasis is to ensure that applicable to all organizations
technology provides businesses with regardless of type, size, or nature
relevant, timely, and quality information for (ISO/IEC 27001:2013)
decision-making purposes. Guidance for information security
- Now on its 5th edition, allows management to management system
benchmark its environment and compare it to implementation. (ISO/IEC DIS
other organizations. 27003)
- IT auditors can also use COBIT to Guidelines for implementing
substantiate their internal control information security management for
assessments and opinions, as COBIT inter-sector and inter-organizational
provides assurances that IT security and communications. (ISO/IEC
controls exist. Also helps them examine 2701020:2015)
objectives. ISO/IEC 27013:2015. Guidance on
- COBIT 5 helps organizations create optimal the integrated implementation of an
value from IT by maintaining a balance information security management
between realizing benefits and optimizing system, as specified in ISO/IEC
risk levels and resource use. 27001, and a service management
- Five principles of COBIT: system, as specified in ISO/IEC
1. COBIT 5 considers the IT needs of 20000-1.
internal and external stakeholders - The family standards above assist
2. Fully covering the organization’s organizations to manage the security of
governance and management of assets, including, but not limited to, financial
information and related technology. information, intellectual property, employee
3. Provides an integrated framework that details or information entrusted by third
aligns and integrates easily with other parties.
frameworks, standards, and best - ISO/IEC 27002 help organizations select
practices. proper security measures by utilizing
4. Enables IT to be governed and managed available domains of security controls. Each
in a holistic manner for the entire domain specifies control objectives that
organization. provides further guidance on how
5. Assists organizations in adequately organizations may attempt to implement the
separating governance from framework.
management objectives. - ISO/IEC 27002 should be chosen when IT
- Selection of COBIT may be appropriate senior management targets an information
when the goals of the entity is not only to security architecture that provides generic
understand and align IT and business security measure to comply with federal laws
objectives but also address the areas of and regulations.
regulatory compliance and risk
management. A Joint Framework
The Joint Framework, put together by the IT
Governance Institute (ITGI) and the OGC, aligns
3. British Standard International Organization ITIL, COBIT and ISO/IEC 27002 and allows
for Standardization (ISO) / International organizations to:
Electrotechnical Commission 27002
(ISO/IEC 27002) - Implement a single, integrated, compliance
- ISO/IEC 27002:2022 – 4 themes, 93 method that delivers corporate governance
controls, 5 attributes general control objectives;
- Global standard (used together with ISO/IEC - Meet the regulatory requirements of data and
27001 for risk assessment and treatment privacy-related regulation; and
and safeguard implementation) that provides - Get ready for external certification to ISO
best practice recommendations related to 27001 and 20000, both of which
the management of information security. demonstrate compliance.
- Applies to those in charge of initiating, Implementing joint framework leads organizations
implementing, and/or maintaining toward effective regulatory compliance and
information security management systems. improves their competitiveness
- Assists in implementing commonly accepted
information security controls and IT Performance Metrics
procedures.
Developing a measurement process takes time and
- The ISO/IEC 27000 family of standards
resources to implement.
includes techniques that help organizations
secure their information assets. IT security To be successful:
related techniques:
Requirements for establishing, - Organization and IT management must be in
implementing, maintaining, full support
- Organization and IT management must be - Validity determines the degree to which it
consulted as to the types of measurements actually measures what it was intended to
they believe will be most beneficial. measure.
- Areas to be measured should be closely
Measure must be meaningful and provide useful
aligned to the objectives of the organization.
data to management.
Critical metric set – the few key metrics that are
IT Balanced Scorecard
critical to the successful management of the function
that should be identified and applied to the Questions frequently asked and assessed:
environment.
- Is our current IT investment plan consistent
- Once identified, personnel in the areas to be with the organization’s strategic goals and
measured should be consulted objectives?
- Set of measurement should be devised - Was the IT application just developed a
- Personnel should select the best means to success?
measure the quality and productivity of their - Was it implemented effectively and
work. efficiently?
- Metrics are applied to both measurable and - Is our IT department adding value to the
meaningful data organization?
- After initial implementation, it is important to - Should our current IT services be outsourced
show the results on a regular basis to third parties?
- As the metrics database grows, the reliability
and usefulness of the data will increase IT Balanced Scorecard
When it is difficult to get management support - Support the continuous needs organizations
because of their skepticism or lack of education have to measure the value of IT and evaluate
regarding the matter, these steps must be taken: its performance.
- Provides an overall picture of IT performance
1. Management must be made to realize that it aligned to the objectives of the organization.
is next to impossible to manage what cannot - It specifically measures and evaluates IT-
be or is not measured. This is done by related activities from various perspectives,
backing up with some sample metrics. such as IT-generated business value, future
2. Survey data from other organizations and orientation, operational efficiency and
compile and present them to encourage effectiveness, and end-user service
adoption of a metrics frame of mind. satisfaction.
3. Once all metric data are gathered, it must be - These perspectives are then translated into
presented in a format that is easy to corresponding metrics that reconcile with the
understand. A combination of graphics and organization’s mission and strategic
text is important to illustrate the context and objectives.
performance trends. - Results from the metrics are assessed for
adequacy against target values and/or
Reports must stress the progress in the areas
organization initiatives.
selected for measurement. This shows short-term
- The four perspectives, described next,
results in the long-term measurement process.
should be periodically revised for adequacy
Once concept of metrics are accepted by the by management personnel.
management, next is implementing some
measurements in critical areas. It is important to be 1. IT-Generated Business Value
sensitive to the resistance to change. - In general, IT provides value through
Implementation of metrics causes uneasiness and delivering successful projects and keeping
fear in the ranks. operations running.
- Focus is reduced cost = measure the cost of
Most important rules in the design and
IT before and after automation
implementation of a metric are:
- Focus is new markets = measure the time to
1. In all cases, the area that is to be measured market new products
must help in the development of the metrics. - IT adds value to an organization through
This creates a sense of ownership over the project and service delivery.
measurements and will ease the resistance - IT projects deliver business value by
to implementation. automating business processes. As these
2. The measures are applied to events and projects are enabled by technology, IT is
processes, and never to individuals. If people adding value to the organization. Measuring
get the idea that their performance is being the amount of benefit delivered from these
measured, they will less likely comply with projects is one way of representing the value
the metric process. of IT.
- Automating business processes typically
The last step is to identify the attributes of an results in higher IT costs and lower business
effective measure. An effective measure must be costs (or higher revenue).
able to pass tests of reliability and validity. - There may be a perception that IT costs are
- Reliability defines consistency of a measure growing without the recognition that business
costs should be dropping or revenue growing
by a greater margin.
- IT services deliver value by being available 3. Operational Efficiency and Effectiveness
for the organization as needed. - The operational efficiency and effectiveness
- As part of the strategic and operational perspective focuses on the internal
planning process, an organization must processes in place to deliver IT products and
decide the level of service required of IT. services in an efficient and effective manner.
- Service levels will depend on the type of - Internal operations may be assessed by
organization, application portfolio, services measuring and evaluating IT processes in
provided by IIT, and objectives of the areas, such as quality, responsiveness,
organization. security, and safety, among others.
- Metrics to measure business value may - Measurements of the operational efficiency
address the functions of the IT department, and effectiveness perspective may result in
value generated by IT projects, management useful data about the productivity of different
of IT investments, and sales made to internal processes as well as resources.
outsiders or third parties. - Metrics here can yield productivity
- These metrics may include: information about the performance of
percentages of resources devoted to technologies and of specific personnel.
strategic projects;
perceived relationship between IT
management and senior-level 4. End-User Service Satisfaction
management; - The end-user, for IT purposes, may be
computation of traditional financial internal personnel or external (e.g., users
evaluation methods, such as return accessing inter-organizational IT systems or
on investment (ROI) and pay-back services, etc.).
period; - From an end-user’s perspective, the value of
actual versus budgeted expenses; IT will be based on whether their jobs are
percentages over/under overall IT completed timely and accurately.
budget; and - A mission for this perspective would be to
revenues from IT-related services deliver value-adding products and services
and/or products; among others. to end-users.
- Related objectives would include maintaining
acceptable levels of customer satisfaction,
2. Future Orientation - partnerships between IT and business,
- Future orientation is concerned with application development performance, and
positioning IT for the future by focusing on service-level performance.
the following objectives: - Metrics used to measure the aforementioned
(1) training and educating IT personnel for objectives should focus on three areas:
future IT challenges; being the preferred supplier for
(2) improving service capabilities; applications and operations
(3) staffing management effectiveness; establishing and maintaining
(4) enhancing enterprise architecture; and relationship with the user community
(5) researching for emerging technologies satisfying end-user needs
and their potential value to the organization. - It would be necessary for IT personnel to
- A sample mission for this perspective would establish and maintain positive relationships
be to deliver continuous improvement and with the user community in order to
preparing for future challenges. understand and anticipate their needs.
- Sample metrics within this perspective would
Steps in Building an IT Balanced Scorecard
address the following:
Continuously improving IT skills Having an understanding of both corporate-level and
through education, training, and IT strategies, as well as the specific goals related to
development. each type of strategy, is crucial before developing an
Delivering internal projects consistent IBS.
to plan.
The following steps are recommended when
Staffing metrics by function (e.g.,
building a company-specific IBS:
using utilization/billable ratios,
voluntary turnover by performance 1. Have both senior management and IT
level, etc.). management on board from the start; make
Developing and approving an them aware with the concept of the IBS.
enterprise architecture plan, and 2. Coordinate the collection and analysis of
adherence to its standards. data related to:
Conducting relevant research on - corporate strategy and objectives (e.g.,
newly-emerging technologies and business strategy, IT strategy, company
their suitability for the organization. mission, company specific goals, etc.);
- traditional business evaluation metrics and
methods (e.g., ROI, payback period, etc.)
currently implemented for IT performance
measurement; and
- potential metrics applicable to the four IBS
perspectives.
The IT Steering Committee helps ensure integration Operating plans will also identify and schedule the
of the business objectives and goals with the IT IT projects that will be initiated and the IT service
strategy. The committee’s tasks include: levels expected.
Reviewing business and technology strategies and Delivery of these plans should be controlled by a
plans. series of governance processes.
- Prioritizing major development projects. These governance processes are needed to ensure
- Developing communication strategies. the effective use of resources and delivery of IT
- Reviewing development and implementation projects, as well as proper alignment with business
plans for all major projects. objectives.
- Providing business decisions on major
This includes processes to: manage project
design issues for all major projects.
demands, initiate projects, perform technical
- Monitoring status, schedule, and milestones
reviews, procure products and manage vendors,
for all major projects.
and control financial investments.
- Reviewing and approving major change
requests for all major projects. Demand Management
- Reviewing project budgets and ROIs.
- Resolving conflicts between business and - Requirements and business case approved
technology groups. by management
- Monitoring business benefits during and after - Technology costs approved by IT
implementation of major projects. Projects need to be reviewed at the beginning of
Once an IT strategy has been established by the IT their life cycles to make sure they have a strong
Steering Committee, it must be communicated to all business case, as well as senior management
levels of management and to the users to ensure support.
alignment and reduce conflict. A demand management process can help ensure
Communication that resources are devoted to projects that have a
strong business case and also approved by senior
Effective communication is critical to coordinate the management.
efforts of internal and external resources to
accomplish the organization’s goals. Demand Management helps ensure that senior
management is on board, and has provided
Communication should occur at multiple levels, conceptual approval to the project to proceed
starting by having internal weekly staff meetings, through the initial requirements definition and
with all the employees within a department. conceptual design phases of the development life
cycle.
Communication should also take place via town hall
meetings, which are typically attended by (and All projects should have an appropriate sponsor
addressed to) all employees in the organization. from senior management before evaluating the
costs of implementing a solution. This is highly
advisable in order to avoid wasted effort on a project - Architecture
that will not get approved. - In-house skill compatibility
- Existing environments/replacements
A demand management process ensures that a
- Implementation, licensing, and cost
project has business justification, a business and
considerations
IT sponsor, and a consistent approach for approving - Research and analyst views
projects. - Vendor company profile and financial
viability
A demand management process also ensures:
Procurement and Vendor Management
- alignment of application and infrastructure
groups; - Requirements and solution approved by
- that all project costs are identified to improve management
decision making; - Technology vendors approved by IT
- that there are means to “weed out”
Processes and procedures should be in place to
nonessential projects; and
define how the procurement of IT resources,
- means are identified to control IT capacity
including people, hardware, software, and other
and spending
services will be performed.
Project Initiation
IT procurement involves strategic and administrative
- Capacity and service levels approved by tasks, such as defining requirements and
management specifications; performing the actual IT service or
- Technology resources approved by IT resource acquisition (only after assessing and
selecting the appropriate vendor); and fulfilling
Once a project with a strong business case has been contract requirements.
approved, it should undergo an initiation process
that determines its total cost and benefit. Vendor selection usually involves the evaluation of
three to five vendors.
This is usually done by defining high-level business
requirements and a conceptual solution. The IT Steering Committee regularly evaluates IT
vendors and suppliers and makes the ultimate
Building a project estimate takes time and decision of which vendors or suppliers to bring on
resources. board.
It takes time from business users to develop
requirements and a business case. It also takes time Financial Management
from software developers to develop a solution and
cost estimates. - Scope, schedule, and budget approved by
management and IT
After a project has conceptual approval, business - Progress is monitored by management and
users and software programmers can work together IT
to develop detailed requirements and project
estimates that will be used in the final business case In the financial management governance process,
and form the basis for the project budget. potential investments, services, and asset portfolios
are evaluated so that they get incorporated in
Technical Review cost/benefit analyses and ultimately within the
- Solution design approved by management budget. IT budgeting, for instance, considers
- Technical design approved by IT existing IT products, resources, and services in
order to assist the planning of IT operations.
The technical solution needs to be evaluated before
moving forward to ensure compliance with Budgeting is a strategic planning tool (typically
technology standards. expressed in quantitative terms) which aids in the
monitoring of specific activities and events.
A technical review process helps ensure that the
right solution is selected, that it integrates effectively Budgeting also provides forecasts and projections of
with other components of technology (e.g., network, income and expenses which are used strategically
etc.), and that it can be supported with minimal for measuring financial activities and events.
investments in infrastructure. Budgets are useful to management when
One way to control technology solutions is to determining whether specific revenues/costs
implement a Technical Steering Committee with activities are being controlled (i.e., revenues being
representatives from the various technical higher than budget estimates or costs being lower
disciplines and enterprise architects. than estimated budget amounts).
A Technical Steering Committee provides a control Budgets lead how organizations might perform
mechanism for evaluating and approving new financially, operationally, etc. should certain
technology solutions. strategies and/or events take place.