Whitepaper Practical Information Technology Governance

Practical Information Technology Governance Creating an Environment for Business Driven Effective IT Management, Decision Making and Operations Alan McSweeney

Practical Information Technology Governance Contents IT Governance as a Means to an End ...............................................................3 Benefits of IT Governance................................................................................3 IT Governance Drivers and Principles ..............................................................5 IT Governance and Best Practice Standards.....................................................6 IT Governance Architecture Framework ..........................................................6 Implementing Effective IT Governance............................................................7 IT Governance with COBIT .............................................................................8 COBIT Domain and Process Structure .........................................................8 COBIT Information Measurement Criteria ...................................................9 COBIT Process Goals and Metrics.................................................................9 Implementing IT Governance ........................................................................ 11 Lessons Learned From Implementing IT Governance..................................... 11 63% of organisations feel that IT is very important to the delivery of the overall organisation strategy. Yet only 33% of general management within organisations see the alignment between business and IT as being very good. The need to bridge this disconnect between business and IT is one of the fundamental reasons for IT Governance. IT Governance creates a framework where IT management can be performed effectively and IT-related decision making focuses on the effective and efficient running of IT operations and services. Underlying the idea of IT Governance is the concept of IT and business alignment. Implementing IT Governance is good for both the organisation and for IT. It ensures that IT delivers value and that the value of IT is understood. Appropriate IT Governance can yield real business benefits. IT Governance imposes a standard that ensures IT is aligned to business strategy and objectives. COBIT provides a ready-made flexible IT Governance framework that can subsume other more detailed and specific best-practice frameworks. Implementing IT Governance is similar to any other IT or business project and should be approached and managed in the same way. Some “quick wins” from IT Governance can be achieved by implementing the following: • Ensure that IT project priorities are based on business priorities • Audit existing IT processes and modify to ensure they are effective • Ensure that IT projects are lead by the business and strongly supported by IT • Developing an IT scorecard designed for a business audience that includes details on how IT creates and delivers business value • Implementing a standard process for or determining the business value (both financial and non-financial) and risk of IT-enabled business investments • Create an IT Strategy Committee with business involvement Page 2

Practical Information Technology Governance IT Governance as a Means to an End IT Governance creates a framework where IT management can be performed effectively and IT-related decision making focuses on the effective and efficient running of IT operations and services. IT Governance can be seen as one more non-value adding overhead that is part How would you rate your of the ever increasing compliance overhead imposed on organisations. There can organisation’s maturity level on be a real reluctance to considering IT Governance programmes because of IT Governance? “compliance fatigue” associated with the many compliance requirements that have arisen in the past years. However the adoption of appropriate and relevant IT Governance will yield real business benefits. Appropriate is the key word here: there are no prizes for excessive controls. Information Technology is investment-intensive. Change is both common and frequent. The speed with which an organisation correctly adopts innovation and deployment is critical in developing and maintaining competitive advantage. The core function of IT is to serve the business. Alignment of IT with organisational goals and objectives and the management of IT to serve and support the business in its pursuit of success all require clear governance. Conversely, this also needs a business that is engaged with IT. Source: IT Governance Global Status Report—2008 In making a decision to implement an IT Governance framework, it is important to be practical and realistic. Appropriate governance is what is required and governance for a reason rather than for its own sake. Benefits of IT Governance How would you describe the fit or alignment between your Underlying the idea of IT Governance is the concept of IT and business corporate governance practices alignment. The linkage of IT with business objectives remains a key issue for and IT Governance practices? IT management. The implementation of IT Governance is designed to deliver real benefits: • Better IT to business alignment built on a business focus • Improved maintenance and operations planning • Establishment of data and information standards • Management view of what IT does and increased visibility of IT spending • Clear ownership and responsibilities, based on process orientation • General acceptability with third parties and regulators • Shared understanding amongst all stakeholders based on a common Source: IT Governance Global language Status Report—2008 • Fulfilment of the governance requirements for the IT control environment • A comprehensive IT Governance model for managing all IT resources IT Governance fits into an increasingly crowded landscape of corporate governance, regulation and compliance rules and standards. Page 3

Practical Information Technology Governance However there are tangible financial advantages to implementing IT Governance. Analyses and comparisons demonstrate that companies with effective IT Governance have profits that are 20% higher than similar How would you describe the fit companies without an IT Governance framework. or alignment between your IT strategy and your organisation’s IT Governance assists IT meet the expectations placed on it by business by: overall business strategy? • Delivering quality IT solutions on time and on budget • Employing and exploiting IT to deliver business value • Leveraging IT to increase efficiency and productivity while managing IT risks Source: IT Governance Global Status Report—2008 How would you describe the level There are two aspects to IT controls: of engagement by business management in the governance 1. IT must implement internal controls around how it operates of IT-enabled business 2. The systems IT provides to the business and the underlying business initiatives? processes these systems implement must be controlled – these are controls external to IT IT is impacted by business requirements as IT drives the business process and manages the information that such governance seeks to control. IT is at the core of most complex businesses. IT is required to manage itself more effectively and reliably in order to respond to these requirements. The twin drivers of increasing complexity and the need for greater cost controls will exert continuous pressure on IT operations and make using best practice Source: IT Governance Global frameworks to implementing governance solutions the only real answer Status Report—2008 available. Appropriate IT Governance can yield real business benefits. IT Governance imposes a standard that ensures IT is aligned to business strategy and objectives. Page 4

Practical Information Technology Governance IT Governance Drivers and Principles 63% of organisations feel that IT is very important to the delivery of the overall How would you describe the fit organisation strategy. Yet only 33% of general management within or alignment between your organisations see the alignment between business and IT as being very good. corporate governance practices The need to bridge this disconnect between business and IT is one of the and IT Governance practices? fundamental reasons for IT Governance. The drivers of IT Governance include: • The search for competitive advantage through more effective use of information and IT • The need to align technology projects with strategic organisational goals, ensuring they deliver planned value through greater project governance • Operational risk management and the proliferation of threats (internal and external) to information and IT • The governance requirements of various compliance obligations • Increasing regulatory compliance and information and privacy legislation IT Governance is important for all organisations. Those without an IT Source: IT Governance Global Governance strategy face risks; those with one perform better. Status Report—2008 In the current corporate governance environment, where the value and importance of information assets are sizeable, core governance principles must be extended to information and IT. These principles include establishing strategic aims, providing strategic leadership, overseeing and monitoring the performance of executive management and reporting to shareholders on their stewardship of the organisation. The IT function must be aligned to the larger organisation. A lack of openness within IT is simply not consistent with the expectation of pro-activity and governance transparency. IT Governance should be focussed on four key areas, divided into two groups: Goals of IT Governance 1. IT Value Delivery: focus on optimising cost and the value of IT How important do you consider 2. Risk Management: focus on safeguarding IT assets, disaster IT to be to the successful recovery and continuity of operations delivery of the business strategy Means to Achieve IT Governance Goals or vision? 3. IT Strategic Alignment: focus on aligning IT with the business and collaborative solutions 4. Performance Measurement: focus on tracking project delivery and monitoring delivery of IT services. Source: IT Governance Global Status Report—2008 Page 5

Practical Information Technology Governance IT Governance and Best Practice Standards In translating IT Governance from theory to practice, there are a number of IT How regularly does your IT best practice frameworks and standards such as Control Objectives for department inform the business Information and related Technology (COBIT), ISO17799, IT Infrastructure about potential business Library (ITIL), Capability Maturity Model (CMM) available to assist IT opportunities enabled by new functions to help them improve their accountability, governance and technologies? management. COBIT is designed as a high-level umbrella framework and it works very well with other lower-level frameworks like ITIL and ISO27002 which focus on specific aspects of IT Governance. Clearly the structure of IT Governance depends on the IT structure and focus of the organisation. Source: IT Governance Global Status Report—2008 To what extent does your IT department understand and support the business user needs? Business can obtain a value from the implementation of appropriate best practice frameworks through the reduction of the number of ad-hoc Source: IT Governance Global processes. This brings discipline to IT activities and improves Status Report—2008 accountability. IT Governance Architecture Framework This framework depicts how strategy, governance structures and performance goals are synchronised. The “Whats” link overall strategy, governance structures and performance goals so they are aligned and drive an organisation to achieve its vision or steer in the strategic direction in which they are trying to move. Page 6

Practical Information Technology Governance How would you describe the fit or alignment between your IT strategy and your organisation’s overall business strategy? Source: IT Governance Global Status Report—2008 The “Hows” translate the theory into practice: • The organisation’s strategy defines the behaviours required. • The organisation’s governance arrangements are implemented through Rate the relative importance of its governance processes. IT-related problems based on • The organisation’s performance goals are measured through appropriate impact and severity, frequency metrics. of occurrence, improvement or disimprovement and priority for Implementing Effective IT Governance resolution in the next 12 months. Control Objectives for Information and related Technology (COBIT) has been referred to earlier in this paper. COBIT has become the de facto framework for the management of Information Technology standards and processes. COBIT aims to be different from other quality and governance approaches in two key ways: 1. It is an IT Governance framework and supporting set of tools that IT can use to bridge the gap between control requirements, technical issues and business risks 2. It provides a detailed implementation structure and toolset that translates the framework theory into a practical and achievable deliverables Like all governance standards and methodologies, their implementation can be long and painful. Implementation of and adherence to these compliance standards can seem to represent wasted effort as it does not add value to the business. COBIT removes at least some of the pain and reduces the execution time by going some way towards translating general principles to realisable specifics. Because COBIT has a detailed implementation framework, the project to Source: IT Governance Global implement it and the associated time and cost can be defined more exactly. Status Report—2008 Page 7

On a scale from 1, not at all serious, to 3, very serious, rate Practical Information Technology Governance the severity of problems experienced? The framework can be customised and simplified to suit the requirements of the organisation. In order to deliver and be seen to deliver quick wins from IT Governance, the following areas should be given attention: • Ensure that IT project and service priorities are based on business priorities • Audit existing IT processes and modify to ensure they are effective • Ensure that IT projects are lead by the business and strongly supported by IT • Develop an IT scorecard designed for a business audience that includes details on how IT creates and delivers business value • Implement a standard process for determining the business value (both financial and non-financial) and risk of IT-enabled business investments • Create an IT Strategy Committee with business involvement COBIT has a broad coverage and a business focus. It seeks to ensure that IT delivers what the business needs. COBIT focuses on the “what” rather than on the “how”. It is a control and management framework, linking IT practices to business requirements. COBIT is based on the principle that to provide the information that the enterprise requires to achieve its objectives, the enterprise needs to manage and control IT resources using a structured set of processes to Source: IT Governance Global deliver the required information services. Status Report—2008 COBIT is integrated with other standards and thus can become an umbrella Has the situation regarding framework for IT Governance: these problems deteriorated, stayed the same or improved • It assists in understanding and managing the risks and benefits during the past 12 months? associated with IT • The process structure of COBIT and its business-oriented approach provides an end-to-end view of IT COBIT provides a ready-made flexible IT Governance framework that can subsume other more detailed and specific best-practice frameworks. IT Governance with COBIT COBIT Domain and Process Structure The COBIT process model of four domains contains processes that manage the IT resources to deliver information to the business according to business and governance requirements. Each of the processes contains a set of objectives. When implemented, the governance Processes within the Domains can be regarded as an engine to deliver information and fulfil objectives. Source: IT Governance Global Status Report—2008 Page 8

Practical Information Technology Governance Which of any of the following practices does your organisation’s current approach to IT Governance include? The implementation of these COBIT processes within the toolset is divided into four parts: 1. High-level control objectives – this is a process summary identifying business requirement being satisfied, focus, achievement and measurement Source: IT Governance Global principles Status Report—2008 2. Detailed process-specific control objectives 3. Process inputs and outputs, responsibilities, goals and metrics. 4. Process maturity model Each of these processes consists of a number of specific control objectives. It is COBIT’s execution-oriented template approach and structure makes it useful and implementable. COBIT Information Measurement Criteria COBIT defines criteria to measure how the information delivered by the processes meets business objectives. Have you implemented, are you in the process of implementing Deals with information being relevant and pertinent to the or are you considering Effectiveness business process as well as being delivered in a timely, correct, implementing improved IT consistent and usable manner Governance practices? Concerned with the provision of the information through the Efficiency optimal use of resources Concerned with the protection of sensitive information from Confidentiality unauthorised disclosure Relates to the accuracy and completeness of information as Integrity well as to its validity in accordance with business values and expectations Relates to the information being available when required by Availability the business process now and in the future Deals with complying with laws, regulations and contractual Compliance arrangements Source: IT Governance Global Relates to the provision of appropriate information for the Status Report—2008 Reliability workforce of the organisation COBIT Process Goals and Metrics Page 9

Practical Information Technology Governance Each process has three sets of goals measured by corresponding sets of metrics: Goals Metrics Delivery Activity Goals Key Performance Indicators Measured Process Goals Process Key Goal Indicators By IT Goals IT Key Goal Indicators How valuable do you think In addition to the process-specific control objectives, COBIT includes a set of COBIT is in your IT generic process controls that are applied to all processes. Governance efforts/initiatives? Control Description PC1 Process Assign an owner for each COBIT process such that Owner responsibility is clear. PC2 Define each COBIT process such that it is repeatable. Repeatability PC3 Goals and Establish clear goals and objectives for each COBIT process Objectives for effective execution. PC4 Roles and Define unambiguous roles, activities and responsibilities for Responsibilities each COBIT process for efficient execution. PC5 Process Measure the performance of each COBIT process against its Performance goals. Source: IT Governance Global PC6 Policy, Plans Document, review, keep up to date, sign off on and Status Report—2008 and Procedures communicate to all involved parties any policy, plan or procedure that drives a COBIT process. COBIT includes a set of generic application control groups and detailed controls that are applied to all processes: • Data Origination/Authorisation Controls • Data Input Controls • Data Processing Controls Which IT-related investment • Data Output Controls principles deliver the greatest value to the organisation? • Boundary Controls Because COBIT has a detailed implementation framework, the project to implement it and the associated time and cost can be defined more exactly. Source: IT Governance Global Status Report—2008 Page 10

Practical Information Technology Governance Which of the following IT- Implementing IT Governance related investment principles applies or is planned to be Implementing IT Governance is similar to any other IT or business project and applied in your organisation? should be approached and managed in the same way. The roadmap to implementing IT Governance consists of the following general phases and activities: Source: IT Governance Global Status Report—2008 What do you see as the greatest obstacles/constraints to organisations adopting the IT- related investment? Implementing IT Governance should be treated like any other project. Lessons Learned From Implementing IT Governance The lessons learned from implementing IT Governance relate to avoiding the all too common problems associated with business and IT being disconnected: Source: IT Governance Global Status Report—2008 • Management see a value from investments made in IT and see that IT is an investment rather than a cost. Which of the following measures • IT is no longer seen as a barrier to implementing new strategies. IT have you implemented, or are becomes a strategic enabler rather than being seen as restricting the you in the process of ability of the business to respond to new opportunities. implementing, to improve IT • IT decision-making mechanism is open and transparent rather than management and governance? slow, cumbersome and not apparent. • Management understand and appreciate how IT is governed within the organisation. • IT projects are completed on time and on budget and deliver on the committed benefits. Good project management is part of good IT Governance. Implementing IT Governance is good for both the organisation and for IT. Governance ensures that IT delivers value and that the value of IT is understood. Source: IT Governance Global Status Report—2008 Page 11

Practical Information Technology Governance For more information, please contact: alan@alanmcsweeney.com Page 12

Whitepaper Practical Information Technology Governance

by Alan McSweeney

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Whitepaper Practical Information Technology Governance Document Transcript