The Value ofIT FrameworksRecent views from Chief Information OfficersResults from the CIONET survey of European CIO’son the business value of IT FrameworksWhat’s next.
Table of Contents_Introduction ................................................................................. 31. IT FrameworksCOBIT.......................................................................................4ISO 27001 - Information Security......................................6ISO20000 - ITIL.....................................................................72. The Survey ResultsIT Governance .......................................................................8Information Security ............................................................12Service Delivery......................................................................163. Comparison to other international surveys .................. 184. The Case StudiesIT governance and managementat Atos Worldline....................................................................20IT Service Delivery at M-Team ...........................................21Information Security at Dexia.............................................215. Major Findings .................................................................... 226. Conclusion .......................................................................... 232
In an environment where new businessdemands, stringent industry-specificregulations, and risks emerge every day,maximizing the value of intellectualproperty, managing information riskand security, and assuring compliancethrough effective enterprise govern-ance of IT, have all emerged as missioncritical issues for all size and all industryenterprises worldwide. Several frame-works to support these enterprise chal-lenges emerged some 20 years ago andwhile they have evolved they increas-ingly maintained they would createvalue for the enterprise. But do they?CIONET is the biggest community of ITexecutives in Europe. Bringing togetherover 3500 CIOs, CTO’s and IT directorsfrom wide ranging sectors, cultures,academic backgrounds and genera-tions, CIONET’s membership representsan impressive body of expertise in ITmanagement. CIONET’s mission isto feed and develop that expertise byproviding top-level IT executives withthe resources they need to realise theirfull potential.The CIONET community maintainsclose ties with both corporate and aca-demic worlds, helping to foster the kindof creative thinking that fuels innova-tion in IT. Every year, CIONET activelysupports a number of research projectsand, e.g., trends surveys on a range oftopics developed in consultation withour advisory boards.For the needs of this report, 56 enterpris-es of varying size and industry respondedto the survey and provided detailed in-formation on usage, actual and expectedbenefits, and actual and expected costsof IT frameworks used for__ IT Governance__ Information Security__ Service DeliveryIn addition to the traditional ‘Majorlessons learned’, the survey exploredthe reason and degree of adoptionof frameworks, their expected costand benefits and the actual costs andbenefits.3Company StaffIT Users<500 501-1000 1001-5000 5001-1000010001-5000050000+ServicesConsumer Goods & RetailTechnology & TelecomIndustrials & ManufacturingUtilities & EnergyFinancialsHealthcareGovernmentOtherBelgiumOtherU.K.ItalyNetherlandsSpainIntroductionEnterprise SizeIndustryGeography53212274813
4IT Governanceand ManagementAn IT Governance Framework likeCOBIT helps enterprises navigate thecomplexities of managing informationand its infrastructure and helps to un-derstand, utilise, implement and directimportant information-related activitiesand make more informed decisionsthrough simplified navigation and use. Itis developed and maintained by ISACAwho is about to publish version 5.COBIT helps IT professionals with toolsand expertise to identify critical issuesand customize company-specific prac-tices to support the management andgovernance of information and relatedtechnologies.COBIT defines responsibility do-mains and a process structuretogether with a suggested cascadeof linked enterprise, IT and processgoals to help identify critical is-sues relative to enterprise IT. It alsoprovides a knowledge base follow-ing the process structure containingpractices, metrics, maturity modelsand RACI charts.1.IT FrameworksCOBIT is being usedby tens of thousandsof companies andmillions of professionalsworldwide, is supportedby many regulatorsand has become thede facto standard forenterprise governanceof IT.
5CobiT5 Concepts and Process ModelEvaluateGovernanceProcessesManagementProcessesDirectMonitorPlanBuildRunMonitorAlign, Plan & Organise ...Processes for Management of Enterprise ITProcesses for Governance of Enterprise ITMonitor,Evaluate &Assess ...APO1Define theManagementFrameworkfor ITDSS1ManageOperationsEDM1Set and maintainthe GovernanceFrameworkBAI1Manage Programmesand ProjectsBAI6ManageChangesDSS4ManageContinuityDSS2Manage ServiceRequests & IncidentsEDM2Ensure ValueOptimisationBAI2Manage RequirementsDefinitionBAI7Manage ChangeAcceptance & TransitionDSS5ManageSecurityDSS3ManageProblemsEDM3Ensure RiskOptimisationBAI3Manage SolutionsIdentification & BuildBAI8Manage KnowledgeDSS6Manage BusinessProcess ControlsEDM4Ensure ResourceOptimisationEDM5Ensure StakeholderTransparancyBAI4Manage Availability &CapacityBAI9Manage AssetsBAI5Manage OrganisationalChange EnablementBAI10Manage ConfigurationAPO7ManageHumanResourcesAPO2DefineStrategyAPO9ManageServiceAgreementsAPO3EnterpriseArchitectureAPO10ManageSupplierAPO4ManageInnovationAPO11ManageQualityAPO5ManagePortfolioAPO12ManageRiskAPO6Budget &CostsAPO7ManageHumanResourcesAPO13ManageSecurityBuild, Acquire & Implement ...Deliver, Service & Support ...Evalute, Direct & MonitorDirectMonitorDirectDirectMEA1Monitor &EvaluatePerformance andConformanceMEA2Monitor Systemof InternalControlMEA1Monitor and AssessCompliancewith ExternalRequirements
6InformationSecurityThe widest used framework by far isthe current ISO27001, which formallyspecifies a management system that isintended to bring information securityunder explicit management control.Being a formal specification means thatit mandates specific requirements.Organizations that claim to haveadopted ISO/IEC 27001 can thereforebe formally audited and certified com-pliant with the standard.The standard evolved from ISO17799which itself was based on theBritish Standard for Information SecurityBS7799.ISO/IEC 27001 requires that manage-ment:__ systematically examine the or-ganization’s information securityrisks, taking account of the threats,vulnerabilities and impacts;__ design and implement a coherentand comprehensive suite of infor-mation security controls and/orother forms of risk treatment (suchas risk avoidance or risk transfer) toaddress those risks that are deemedunacceptable;__ adopt an overarching managementprocess to ensure that the informa-tion security controls continue tomeet the organization’s informationsecurity needs on an ongoing basis.It is constructed following a Plan-Do-Check-Act model and provides 39 controlobjectives and 123 controls for information security for 11 domains:IS27001 Domains Objectives Controls1 Security Policy 1 22 Organisation and information Security 2 113 Asset Management 2 54 Human Recources Security 3 95 Physical and Evironmental Security 2 136 Communications and Operations Management 10 327 Access Control 7 258 Security Requirements of Information Systems 6 169 Information Security Incident Management 2 1510 Business Continuity Management 1 511 Compliance 3 10Associated standards have been developed for verifying compliance against 27001.
7ServiceDeliveryITIL (Information Technology Infrastruc-ture Library) is the most widely accept-ed approach to IT service managementin the world. ITIL provides a cohesiveset of best practice, drawn from thepublic and private sectors internation-ally. It was developed by the CCTAwhich is now incorporated in the Officeof Government Commerce (OGC).ITIL describes activities and practices of the service lifecycle in detail, linked tocustomer/business requirements using business metrics and reinforcing continuousimprovement. Based on a clear specification and a “Code of Practice”, it draws onmany other standards and helps managers develop their own IT Service Manage-ment System. ITIL has become the “bible” of many IT operational managers.A new version became available in 2007(ITIL version 3). It does not focus onprocesses like version 2 but rather onservices. A service lifecycle forms theheart of version 3:__ Service Strategy__ Service Design__ Service Transition__ Service Operation__ Continual Service ImprovementISO/IEC20000-1ISO/IEC20000-2Supporting frameworks:ITIL, Cobit, MOF, ...Policies, processes, working proceduresand instructions proper of IT organizations (in-house)CertificationISO/IEC 2000-1:2005ISO/IEC 2000 : 2005Specification“Aims to fulfil”Code of practice“2000-1 explanatory guidance”Best practice preference modelsfor IT Service ManagementIT Service Management SystemITSMSImplementation and improvementITIL Concepts and Structure
82.The Survey ResultsIT GovernanceIn almost all cases this framework isCobiT or CobiT-based. Not surprisingly,the CIO sponsors the adoption and useof an IT governance framework in morethan 3 out of 4 cases. Hence it is alsological that IT management and IT pro-fessionals are leading its implementa-tion and are primary users. Other majorusers are the risk, security, complianceand audit functions.CIOCOOCTOCFOnoneUsersLeadersSeniormanagementITmanagementITprofessionalsRiskmanagersSecuritystaffComplianceofficersAuditors5432518226101112710Sponsors IT Governance FrameworkUsers and Leaders IT Governance Framework
9Nearly all respondents use the frame-work in one form or another.But when asking how intensively the ITGovernance Framework is used, it turnsout that less than one third use it formore than just for guidance.The latter was confirmed when ask-ing for the reason why they adoptedthe framework, i.e. as guidance for ITgovernance implementations and ITimprovements.Adoption of agovernance frameworkis seen as a forwardlooking action and notdone in reaction to aproblem.High Medium LowNot used at allJust influenced by its conceptsTo obtain guidance in decision makingIn addition used regularly as reference materialBasis for IT policy but not for practicesExtensively used for practices but compliance not verifiedExtracted practices applied and compliance verified5%39%18%11%7%13%7%Usage Maturity of the IT Governance FrameworkMajor Drivers for using an IT Governance FrameworkSupport regulatory complianceGuide IT Governance implementationGuide IT improvementsReference for AuditIn response to a major incidentSupport IT operations
10Expected & Actual Benefits High Medium LowEFFICIENCYImproved enterpriseprocessesExtended staff capabilitiesEFFECTIVENESSBetter service deliveryFaster solution deliveryRISKIncreased innovationReduced riskThe results of the expected and actualbenefits paint a complex picture:__ The major driver is service delivery,a driver one would expect more fora service delivery framework suchas ITIL__ Improved processes and reducedrisk come in as a close second asexpected benefits__ The actual benefits however lookvery different, indicating overallbenefits (see the scores in theMedium column) but disappointingas to the high expectations.__ Interestingly, innovation was notan expected nor an actual benefitwhich indicates that the industryis maybe not ready yet for frame-works like ValITLess data was provided on the actualcost of the framework’s implementa-tion, roll-out and usage. When askedhow they measure costs, 60% wasthrough metrics, the rest via actualcases and management perception.Only half of the respondents usedexternal help on the project, on average112 man-days, a quarter of which wasused for training.Nevertheless and after deleting theextreme values, sufficient data wasavailable to learn that the actual costwas generally less than the estimate.Larger companies tend to be better atestimating but the closeness of esti-mate and actual is intriguing. Smallercompanies spend 20% less, especially inthe roll-out phase of the project.Expected and Actual Benefits of using an IT Governance FrameworkFigure 3 - Measuring the cost of an IT Governance FrameworkEstimated and Actual Cost of an IT Governance Framework in Small and Large EnterprisesCasesPerceptionMetricsCOST in 1000€ Estimate ActualImplementation 340 290SMALLRoll-out 250 150Usage 200 190Implementation 1450 1350LARGERoll-out 1000 1100Usage 400 350
11The survey enterprises were also askedhow benefits were demonstrated. Theresult is shown here as a heat chart.Two results jump to the front: benefitmetrics appear to be very much usedfor service delivery, and increased in-novation is purely a case of perception.The respondents also provided infor-mation as to the actual metrics used.Overall the most quoted was numberof issues raised, fixed and outstanding,and second most quoted was resolu-tion time. Framework adherence andmaturity level achieved, only receivedlow scores.Finally, the lessons learned were collected. Respondents confirmed a major argu-ment used by framework developers, i.e., that they significantly provide for a com-mon language between all stakeholders of IT. On the negative side, their implemen-tation is perceived to be complex with a high learning curve for managers. And asfor most initiatives that look for improvement, the high level of senior managementsupport was identified as a major requirement for success.As a general conclusion we can state that the costof an IT governance framework is 20% less thanexpected but benefits - in the absence of strongmetrics, are perceived to be less than hoped for.Notwithstanding, the lessons learned all talk abouta better organisation, more useful managementinformation and a higher maturity.Heat Map of How Benefits Are DemonstratedProof Metrics Cases PerceptionImproved enterpriseprocessesExtended staff capabilitiesBetter service deliveryFaster solution deliveryIncreased innovationReduced risk
12Service DeliveryEven more than for IT governance, theCIO sponsors the adoption and use ofa Service Delivery framework. However,many more possible sponsors havebeen identified who push the issue ontothe executive’s agenda.Usage patterns are not much differentfrom the IT Governance framework.However, while security and audit staffare also significant users, in this casethey appear to play no role in promot-ing adoption and helping implementa-tion.CEOCIOCOOCTOHead of ITIT ManagerIT Services DirectorSponsors Service Delivery FrameworkUsers and Leaders Service Delivery FrameworkUsersLeadersSeniormanagementITmanagementITprofessionalsRiskmanagersSecuritystaffComplianceofficersAuditors0 29 9 0 0 0077352971211
13When looking at intensity of usage, atotally different pattern emerges.Probably because frameworks like ITILhave been used for many years by op-erations managers as their ”roadbook”,and later on by CIO’s, a much higherdegree of maturity is revealed withmore than 60% of respondents usingit at least as IT policy. A majority uses itfor its practices and several even verifycompliance.The reason for implementing aService Delivery framework appears atfirst sight the same as for governance,i.e., governance implementation andIT improvements. Surprisingly though,respondents also identified regulatorycompliance and audit requirements assecondary reasons.Not used at allJust influenced by its conceptsTo obtain guidance in decision makingIn addition used regularly as reference materialBasis for IT policy but not for practicesExtensively used for practices but compliance not verifiedExtracted practices applied and compliance verified2%16%12%10%6%35%19%Usage Maturity of ITILDrivers for implementing ITILHigh Medium LowSupport regulatory complianceGuide IT Governance implementationGuide IT improvementsReference for AuditIn response to a major incidentSupport IT operations
14Expected & Actual Benefits High Medium LowEFFICIENCYImproved enterpriseprocessesExtended staff capabilitiesEFFECTIVENESSBetter service deliveryFaster solution deliveryRISKIncreased innovationReduced riskCIO’s expected more benefits from aService Delivery framework and whileresults are overall better than for gov-ernance, again actual results are lessthan expected. However, the strong re-sults in the ‘Medium’ column for actualbenefits are encouraging.While the heat chart for how benefitsare demonstrated is again similar withbetter service delivery being objec-tively measured and innovation beinga matter of pure perception, there areindications that for process quality andspeed of delivery, more metrics arebeing used.Metrics that show up here which werenot being used for governance are: SLAmetrics and customer satisfaction.Expected and Actual Benefits from Using ITILHeat map of How Benefits Are DemonstratedProof Metrics Cases PerceptionImproved enterpriseprocessesExtended staff capabilitiesBetter service deliveryFaster solution deliveryIncreased innovationReduced risk
15The cost for implementing and usinga service delivery framework appearsto be much more supported by hardmetrics compared to the cost measure-ment of IT Governance Frameworks.Again estimates are fairly accurate butnow both large and small companiesare less accurate spending about 10%more than estimated. Especially day-to-day usage in small companies is under-estimated.72% of respondents use external help toimplement a service delivery frameworkwith on average 125m/d for training and225m/d of expertise.A better IT organisation and improved common ground were experiences similarto the lessons learned from implementing an IT governance framework. As more ofthe respondents have implemented ITIL or similar frameworks, the lessons learnedwere more extensive. Major improvements experienced were a better risk and con-figuration management, stronger focus on the support of the business processesand a standardised and measurable IT.As for IT governance the learning curve, management time and complexity ofimplementation were identified as negative experiences. Interesting to note was thelesson that driving change is hard but foremost that people need to understand thereasons why of the implementation and changes it requires.Estimate and Actual Costs of ITILCasesPerceptionMetricsCOST in 1000€ Estimate ActualImplementation 245 240SMALLRoll-out 190 200Usage 125 170Implementation 2900 3100LARGERoll-out 3100 3500Usage 900 900
16InformationSecurityAs for the other domains, the CIO ismost often the sponsor of the adoptionof the Information Security Framework.However, leadership in implementa-tion is shared between the CIO and thesecurity staff.Usage of the InformationThe security framework and its prac-tices has the broadest adoption of allframeworks in the survey. Accordingto the responses, maturity of applica-tion is in between the governance andservice frameworks. This is somewhatin contradiction with the broad usagein the enterprises, possibly due to thefact that most enterprises will adapt thestandard framework to their own needsand risk profile.CIOCOOCTOCEONot used at allJust influenced by its conceptsTo obtain guidance in decision makingIn addition used regularly as reference materialBasis for IT policy but not for practicesExtensively used for practices but compliance not verifiedExtracted practices applied and compliance verifiedSenior managementIT managementIT professionalsRisk managersSecurity staffCompliance officersAuditorsUsage Maturity of Information Security FrameworkUsers and Leaders Information Security FrameworkSponsors Service Delivery Framework15%30%13%7%9%13%15%
17Expected BenefitsActual BenefitsHigh Medium LowSupport regulatory complianceGuide IT Governance implementationGuide IT improvementsReference for AuditIn response to a major incidentThe main drivers are - no surprise- regulatory compliance and audit.Nevertheless, enterprises feel that ap-plication of this framework will alsoimprove IT and help with IT governanceimplementation.Risk reduction is the major benefit iden-tified by most enterprises and has alsobeen fairly well achieved.Respondents did not provide much dataas to cost but it is generally estimatedas ½ of the IT Governance Frameworkimplementation. Notwithstanding, 60%of enterprises have objective metrics.The major positive experiences identified were the increase in awareness and thereduction of risk. Interesting remarks in the lessons learned were that the frame-work was to the point, extensive and complete and that useful than expected.The survey recorded the same comments as for other frameworks on negativeexperiences: complexity, learning curve, hard to do, management time, seniormanagement support.Drivers for an Information Security FrameworkBenefits an Information Security FrameworkHigh Medium Low
183. Comparisonto other SurveysThe IT Governance Institute published the results oftwo international surveys on the adoption and useof the IT governance frameworks CobiT and ValITin 2008 and 2010.The first covered responses from 750 companies. Europe, Asia and the Americaswere about equally represented while the manufacturing industry and public sectorwere the major responders. Leadership for these frameworks was in the first placewith the CIO but with a much larger role for other executives. What was also strik-ing was that the non-IT responders of this survey were much more positive aboutIT – in terms of general management attention and value creation - than the ITresponders.The 2008 survey also noted in thetwo years prior to the survey, a strongreduction in adoption of quality and‘home-made’ frameworks and thegrowth of ITIL, CobiT and ISO27000.Concerning maturity of use, the find-ings were similar to the CIONET survey:for 50% it is one of the enterprise’sreferences, for 25% it is the main sourceof reference, a little more than 10% areonly influence by it, and at the otherend of the spectrum, a little less than10% apply it by the book.CIOCEOCFOUsage - % of enterprisesLeadershipIT BalancedScorecard3%IT GovernanceCobiT14%Service DeliveryITIL and ISO2000025%QualityISO 900014%Information SecurityISO270009%Internally developedIT framework14%SoftwareCMMI3%
19The major constraints for adoption in2008 were concerns for budget andexpected benefits as well as a lack ofknowledge and expertise on IT govern-ance.The IT Governance Institute Surveypublished in 2010 focused on processimplementation and the benefits of ITGovernance Frameworks like CobiT andValIT, and received responses from over500 companies worldwide. Govern-ance over the processes of acquisition,change management, security andoperations scored highest while nev-ertheless most processes only scoringaround the middle of the scale from1 = not implemented to 5 = fullyimplemented. The better implementa-tions were noted in Europe, the financeindustry and with the larger companies.On achievement of business andIT goals – from 1 not achieved to 5achieved, results are generally justabove the middle with the businessfinancial goal scoring best and thefuture IT capabilities goal the least.At a more detailed level, the bettercontributions of an IT Governanceframework referred to IT compliance,information security and IT infrastruc-ture, while also service levels and costoptimisation where also positivelyimpacted.The survey also collected informationto analyse the benefits of IT Govern-ance practices by correlating processresults to IT goals to business goals.The major conclusions are that thisvalue chain is hard to analyse and provebut also the distinct and strongcorrelation between properly function-ing operational and support-orientedprocesses with IT compliance andsecurity goals and compliance and riskbusiness goals.Framework Benefits: Achievement of GoalsBusinessgoalsFinancial OrientationCustomer FocusInternal ProcessesLearning and growthITgoalsCorporate contributionIT User OrientationIT OperationsFuture IT Capabilities__ Increased service levels__ Improved costoptimisation__ Increased IT compliance__ Better maintenance ofinformation security__ Optimised ITinfrastructureProperly functioningoperational and supportprocessesAchieving ITcompliance andsecurity goalsAchieving businesscompliance andrisk goals
204.The Case StudiesIT GovernanceBen Farhangui, Director IT Governance& Compliance, Atos WorldlineThe nature of Atos Worldline’s businesswith a large range of IT products andservices subject to a large number oflocal and global rules, calls for a wellestablished framework for IT govern-ance embraced by the senior executiveteam.A framework like CobiT helps tounderstand the operational controlrequirements to drive the IT strategyand strengthen desirable behavioursirrespective of the fact that the differentIT environments are centralised, de-centralised or federated.Cobit helped identify the most relevantprocesses to start with based on aselection of business goals. The rela-tively long list of processes was thenfiltered by first selecting those that wereimportant and urgent, then those thatprovided opportunities and were highlyfeasible. Maturity and performance tar-gets for the processes present in bothlists were then set to start the improve-ment programme.The programme consisted of assign-ing roles and responsibilities to ensureprocess governance, integrating tools inthe different regions, ensuring processadherence through awareness pro-grammes, while strongly building onexisting processes and know-how.The major lesson learned was that vi-sion, skills, resources and action planshould all support gradual change,avoiding confusion, anxiety, frustrationand false starts. Ben called it “stealthgovernance”!po4ds5ai3ai6po2me1ds1ds4po5po9ds9po1ds8ds10ds12ds13po8ds6ds11me3me4102030405060700 10 20 30 40 50 60 70Important&urgentOpportunity &Feasibility
21M-team is today an IT-service serviceprovider for 3 unions and 27 health-care payers (neutral, liberal, free) onthe Belgium market. M-team providesit-services towards 5000 end-usersserving 2.7 million affiliates from 1700branch offices.A few years ago, M-team proposed agradual IT-infrastructure centralisa-tion. The decision was mainly drivenby the economy of scale potential forits customers owning and managingtheir own distributed infrastructureand resources. In a world where costand quality are more and more underpressure, the management quicklyrecognized the need to evolve from anDexia’s approach towards frameworksis holistic and pragmatic but whileISO2700x is a “mandatory” inspiration,the Web Application Security stand-ard, the Set of Secure DevelopmentGuidelines from MicroSoft and a verystrict application of Rational SD forweb based applications are even moreimportant.ISO2700x in his view provides guide-informal technology driven organiza-tion to a service oriented organization.M-team’s approach for this transforma-tion toward industrialization has beenvery pragmatic from the beginning.Although it was recognized that frame-works like ITIL or CobIT can substan-tially help, proper governance and astrong focus on short term delivery withvisible benefits were the most criticalsuccess factors.The motto “adopt and adapt” was intro-duced ensuring that frameworks wereused only when value was delivered toM-Team customers and never for thesake of using them.lines and very good Best Practicesmore than directly applicable solutions,but they do not plan on certification.Reasons for this are that frameworksare not pragmatic enough, are costlyand require strong process integration.Hence, Dexia’s preference for frame-works directly applicable in the field.Peter pointed out there is no magicframework for clients. It is thereforeNotwithstanding the pragmatic ap-proach and value objective, a rigorousprocess was used: identification of es-sential processes, maturity assessment,gap definition and building momentumwith quick-wins.Stefan especially stressed that in such atransformation project, if the guidanceand usage of appropriate frameworksare essential, success can only beguaranteed with a clear communicationplan and a build-in progress monitoringmechanism while being careful of notembracing too much at the same time.required to educate their clients tomake them aware of Security andData Privacy issues. He expressed theneed to focus on real threats and theirmutations and also warned that frame-works do not provide per se effectiveresponses to current attack patterns. Asa result, IT Security Incident Manage-ment, inspired by ITIL and ISO2700x isa priority.Service DeliveryStefan Mertens, Director of Operations& Customer Services @ M-teamInformation SecurityPeter Billiau, (former) CIO Dexia Groupidentificationof essentialprocessesA clear communication plan and a build-in progress monitoring mechanismmaturityassessmentgapidentificationbuild momentumwith Quick-Wins
225. Major findings fromthe Break-out SessionsSome 30 attendants discussed intensively in 6 working groups about the justifica-tion of framework investments, how to plan for success; what risks to avoid andwhat would a typical (successful) implementation look like. Below is a summary oftheir findings.1. How to justify frameworkinvestments?__ The framework will make IT deliver to your expectations,control the schedule, promote a common language andwill help you to avoid costs.__ Use a slogan, e.g.: “The framework will make IT deliver toyour expectations; control the schedule, promote a com-mon language and will help you to avoid cost”__ Link argumentation to the business strategy__ Demonstrate measurable business value (end-user experi-ence, regulatory, cost reduction, positive business value,risk mitigation)2. How to plan for success?__ Find opportunities to sell (initiatives, incidents, stakeholderhaving problems)__ Integrate governance practices into investment businesscases (“stealth”)__ Show successes, show that it works and then tell all__ Convince the people who eventually will have to executeand make them your ambassadors__ Obtain top management support ( e.g. a framework as top-down policy)__ Manage stakeholders (actors and beneficiaries) from thebeginning by identifying and managing their expectations__ While not ignoring the need to point out risks, the pri-mary relationship between champions of the framework,management and those needing to act needs to be buildon TRUST, based on the alignment of organisational andpersonal values of those involved__ “Think big, start small”__ Get an executive sponsor__ Measure customer satisfaction (but always relate to busi-ness expectations)__ Also measure service unit cost, schedule achievement,incidents etc__ Get buy-in from the business for the metrics used3. What are the risks to avoid?__ Focus on the implementation of the framework as anobjective on its own__ Not properly managing the expectations__ Not making the goals explicit, and not highlighting thebenefits__ Not identifying/recognizing the need to improve as a keydriver__ Inadequate scope, or scope definition process__ Incorrect timing and phase definition__ Unbalanced or insufficient internal knowledge and skills__ Large organization: look more for generalist__ Small organization: look more for specialists__ Underestimating the impact of change to theorganisation__ Poor business case (e.g. imbalance between budget,scope and objectives)__ Lack of support from the top (e.g. board, top manage-ment)__ Loss of stakeholders trust during implementation4. What is the profile of a frameworkimplementation?__ Gradual, incremental approach (quick-wins), holistic &pragmatic__ A good communications plan explaining the why, whatis in it for everyone__ All involved understand the framework__ A change enabler community, involving stakeholdersearly__ Continuous Communication__ Shows the right objectives based on pain points, As Is-Tobe gaps, demand/supply balance and strategic drivers__ Aligns first internally, then aligns with the business__ Objectives are agreed and shared__ Objectives are measured and success is celebrated__ Run as a Project, possibly “slicing” the project and show-ing results per “slice”__ Visible, continuous and systematic measurements
23The benefits of implementing an IT governance framework are perceived to be lessthan hoped for and create a high learning curve for managers even though it usuallycosts 20% less than expected. Notwithstanding, they do provide a better organisa-tion, more useful management information and a higher maturity.ITIL as the example ‘par excellence’ of IT service frameworks is the most widelyused and despite the detail, complexity and management learning curve, does pro-vide a better IT organisation.A security framework implementation generally costs ½ of an IT Governanceframework and is often considered to be more useful than originally expected.Even though it kicks in an open door, all framework implementations also requiresenior management support. So if you do not have it to begin with, don’t getstarted! Or as some of the break-out attendees suggested, do it in a ‘stealthy’ man-ner, bottom up.But if you do have senior management support you should nevertheless take onboard this very insightful comment from one of the participants:ConclusionAdoption of frameworksis neither a simple nor aself-contained project withmeasured costs.It is a gradual shift andinterrelates with many otherinitiatives.
AuthorErik Guldentops, CISA, CISM2010 Executive Professor2011 Visiting LecturerUniversity of Antwerp ManagementSchoolSchapulierstraat 14/3/1B-1800 Vilvoorde, Belgiumtel +32-2-251-9551gsm +32-475-432-748net firstname.lastname@example.orgContributorsThe IT Governance Working Group consisting of:__ Georges Ataya, Solvay Business School__ Hendrik Deckers, CIONET__ Erik Guldentops, Universiteit Antwerpen Management School__ Luc Hendrikx, Accenture__ Daniel Van den Hove, ICT Control__ Johan Van Grieken, Deloitte__ Prof. dr. Steven De Haes, University of Antwerp & Antwerp Management SchoolCIONET would like to thank the many responders to the survey as well as thepresenters and attendants of the breakouts at the event on The Value of IT Frame-works held in September 2011.When not enjoying his retirement, Eriklectures on the subjects of IT secu-rity and control, IT governance, andrisk management at the ManagementSchool of the University of Antwerp,Belgium. He worked for many years atSWIFT (Society for Worldwide InterbankFinancial Telecommunication), wherehe held the positions of Inspector-general and Director of InformationSecurity and worked with its board andexecutive management on the sub-jects of governance, risk, security andcontrol. He held several positions inISACA and the IT Governance Institutebetween 1989 and 2007. Often referredto as “The Father of CobiT”, he leadthe development of COBIT and Val IT.He currently chairs a panel of profes-sors that reviews the master of IT auditprogrammes in four universities in TheNetherlands.About CIONETWe are CIONET, the biggest commu-nity of IT executives in Europe. Bringingtogether over 3500 CIOs, CTO’s and IT directors from wideranging sectors, cultures, academic backgrounds and genera-tions, CIONET’s membership represents an impressive bodyof expertise in IT management. CIONET’s mission is to feedand develop that expertise by providing top-level IT executiveswith the resources they need to realise their full potential.CIONET develops, manages and moderates an integrated arrayof tools and services from the online CIONET platform – theworld’s first social network for CIOs – to a range of offlinenetworking events, conferences, workshops and executiveeducation programmes all tailored to top-level manage-ment. CIONET also provides exclusive access to the latestresearch through regular online and offline publications anda number of value adding partnerships with key players fromthe academic and corporate worlds.Faced with the rapidly changing role of today’s IT execu-tive, CIONET not only helps its members keep up with thepace of change but empowers them to take an active rolein shaping the future of their field, always challenging themwith “What’s next.”What’s next.