Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

An IT Governance program


Published on

A program description of an IT governance methodology for large and small programs where COBIT or ITIL may not be in your plans.

More at, Square Peg Consulting
John Goodpasture, PMP

Published in: Technology, Business

An IT Governance program

  1. 1. An IT Governance Program June 2008
  2. 2. IT Governance – Definition, Purpose, and Scope <ul><li>To Whom governance applies: </li></ul><ul><ul><li>All managers and practitioners proposing, approving, or making changes to IT systems and capabilities </li></ul></ul><ul><li>When governance applies: </li></ul><ul><ul><li>All lifecycle stages: requirements & design, implementation, maintenance, retirement </li></ul></ul>Application SOx and ISMS governance are dotted-line to IT Governance. Related Programs The governance program provides a policy and management framework, a protocol for exercising decision rights, and an accountability regimen Scope Governance is intended to maximize the business value of IT investments, and to minimize the risks to business performance from changes to IT systems and capabilities Purpose <ul><li>IT Governance is a management program executed by IT and business managers that: </li></ul><ul><ul><li>empowers those managers to action, </li></ul></ul><ul><ul><li>endows their decision-making rights, and </li></ul></ul><ul><ul><li>provides accountability for changes to IT systems and capabilities </li></ul></ul>Definition Meaning and Intent Governance
  3. 3. IT Governance ‘community’ <ul><li>The ‘community’ governed consists of the resources, systems, and capabilities assigned to the corporate enterprise, as well those exclusively in the business units and subsidiaries </li></ul><ul><li>The governance regimen recognizes that business units and subsidiary operations are likely to acquire and maintain capabilities that are not supported directly by IT </li></ul><ul><ul><li>Limited governance is ‘limited to’ utilization of enterprise assets, like computers, connectivity to the enterprise networks and systems, adherence to enterprise information security protocols, and adherence to vendor licensing and product distribution policies </li></ul></ul>
  4. 4. IT Governance – Policy <ul><li>Compliance measurement and accountability should be actively managed </li></ul>Compliance <ul><li>A communications and deployment plan should be developed and implemented </li></ul><ul><li>Policies should be on-line available from the intranet </li></ul>Deployment <ul><li>Similar to ISMS, IT Governance should have a policy library of governing documents </li></ul><ul><li>Dependencies with ISMS, SOx, and IT Policies should be identified and managed in a policy cross-reference </li></ul>Framework <ul><li>IT Governance should be chartered and endorsed by the Chairman and CEO </li></ul><ul><li>Policies should be jointly approved, as appropriate, with division chiefs and business unit managers </li></ul>Charter Meaning and Intent Policy component
  5. 5. IT Governance – Policy <ul><li>The policy objectives are to drive outcomes that: </li></ul><ul><ul><li>Enable business efficiencies to address the marketplace and customer communities </li></ul></ul><ul><ul><li>Mitigate performance and compliance risks, </li></ul></ul><ul><ul><li>Reduce the cost of business unit interoperability and functional coordination, </li></ul></ul><ul><ul><li>Provide for disaster recovery, ensure integrity, protect confidentiality, and </li></ul></ul><ul><ul><li>Assure reliability and availability of business systems </li></ul></ul>Governance for shared assets <ul><li>To maximize their business value applications, systems, infrastructure, and data are to be shared among business units </li></ul><ul><ul><li>Stand-alone exceptions are allowable with approval </li></ul></ul><ul><ul><li>Stand-alone renegades are to be actively discouraged </li></ul></ul>Shared Assets Meaning and Intent Policy component
  6. 6. Management framework for governance <ul><li>Tie IT investment to business value and results </li></ul><ul><li>Codify decision-making rights </li></ul><ul><li>Manage risks that affect business performance and accountability </li></ul><ul><li>Provide accountability of IT value-add </li></ul>Management objectives <ul><li>Planning and Organization </li></ul><ul><ul><li>Align IT goals with business goals; develop actionable strategy </li></ul></ul><ul><ul><li>Align project portfolio and resources with strategy </li></ul></ul><ul><li>Acquisition and Implementation </li></ul><ul><ul><li>Manage changes in IT systems and capabilities </li></ul></ul><ul><ul><li>Manage projects, and risk to business performance </li></ul></ul><ul><li>Delivery and Support </li></ul><ul><ul><li>Manage post-project lifecycle for governance compliance </li></ul></ul><ul><li>Monitoring </li></ul><ul><ul><li>Dash-boards for on-going activity </li></ul></ul><ul><ul><li>Scorecards for results </li></ul></ul><ul><ul><li>Benchmarks for direction and industry alignment </li></ul></ul>Management domains affecting governance
  7. 7. Management teams and team missions <ul><li>Executive team </li></ul><ul><ul><li>Provide approval & oversight of strategic projects </li></ul></ul><ul><ul><li>Provide oversight of IT scorecard and benchmarks </li></ul></ul><ul><li>IT Business Council (aka Change control Board) </li></ul><ul><ul><li>Implement a change approval process </li></ul></ul><ul><ul><li>Mitigate risks reported on project dash-boards </li></ul></ul><ul><ul><li>Report scorecard results </li></ul></ul><ul><li>IT Management Team </li></ul><ul><ul><li>Implement approved changes </li></ul></ul><ul><ul><ul><li>Project and work-package methods </li></ul></ul></ul><ul><ul><li>Provide Process Relationship Facilitators [aka Business-IT liaison] </li></ul></ul><ul><ul><ul><li>Interpret IT policy & procedure at business unit level </li></ul></ul></ul><ul><li>Architecture Guidance Group </li></ul><ul><ul><li>Recommend strategic technologies, standards, migrations and upgrades </li></ul></ul><ul><li>Capital approval committee </li></ul><ul><ul><li>Approve capital requests </li></ul></ul><ul><ul><li>Apply financial measures: ROI, ROA, EVA </li></ul></ul>
  8. 8. Governance at three levels <ul><li>Governance is made applicable according to the impact and complexity of the initiatives </li></ul>Enterprise initiatives measured by fit to strategic plan, governed by a Level 2 Business Case, and reported to the Executive Team on a project scorecard Technical or Functional fix initiatives affecting specific interfaces, reports, performance, or functionality of systems or applications with approved capability, as reported on ASRs Process & Performance initiatives affecting one or more business units, supported by a Level 1 business case, measured by fit to business unit scorecard, and reported to IT Business Council on a scorecard Enterprise strategic goals Technical or Functional measured inputs, outputs, and function Process & Performance at the business unit scorecard
  9. 9. Decision Rights for IT governance <ul><li>Policy: Decisions are made the lowest level unless the rights are specifically enumerated at a designated management level </li></ul><ul><ul><li>Decided at the Strategic Impact level: </li></ul></ul><ul><ul><ul><li>Changed or new functionality, interoperability with 3 rd parties, or infrastructure that will have a material impact on business operations </li></ul></ul></ul><ul><ul><ul><li>Require capital approvals over $X ; exceed approved expense budgets by $X </li></ul></ul></ul><ul><ul><li>Decided at the Process or Performance level </li></ul></ul><ul><ul><ul><li>Cross-functional changes or changes which have cross-functional dependencies, otherwise not of strategic impact, and within planned budget limits, with expense budget exceeding $Y </li></ul></ul></ul><ul><ul><li>Decided at the Technical or Functional Fix level </li></ul></ul><ul><ul><ul><li>Fixes to otherwise approved function and infrastructure, or new, with expense budget <$Y </li></ul></ul></ul><ul><ul><ul><li>Infrastructure changes and upgrades not of strategic impact, and within planned budget limits </li></ul></ul></ul>
  10. 10. Decision making Process for change approval <ul><li>Strategic Impact decisions require: </li></ul><ul><ul><li>Level 1 & 2 Business Case & Project Plan with Scorecard of end-state business value </li></ul></ul><ul><ul><ul><li>Strategic impact project could emerge from an ASR </li></ul></ul></ul><ul><ul><li>Executive sponsor who accepts the benefits responsibility </li></ul></ul>
  11. 11. Decision making Process for change approval <ul><li>Process & Performance decisions require: </li></ul><ul><ul><li>Level 1 & 2 Business Case & Project Plan with Scorecard of end-state business value </li></ul></ul><ul><ul><ul><li>Likely begins with a problem report </li></ul></ul></ul><ul><ul><li>Business sign-off in lieu of Executive sponsor </li></ul></ul>
  12. 12. Decision making Process for change approval <ul><li>Technical or Functional Fix decisions require a Level 2 project plan supported by a business case </li></ul>
  13. 13. Principles that guide IT decision-making <ul><li>Management principles to be embodied in decision-making </li></ul><ul><ul><ul><li>Efficiency : most productive and economical use of resources. </li></ul></ul></ul><ul><ul><ul><ul><li>Throughput, cost, schedule, cost of quality </li></ul></ul></ul></ul><ul><ul><ul><li>Effectiveness: doing the right thing the right way </li></ul></ul></ul><ul><ul><ul><ul><li>Achievements, quality fit, mission accomplishment </li></ul></ul></ul></ul><ul><ul><ul><li>Confidentiality :protection of sensitive information from unauthorized disclosure. </li></ul></ul></ul><ul><ul><ul><li>Integrity : accuracy, validity, and completeness of information </li></ul></ul></ul><ul><ul><ul><li>Availability : information being present and accessible, and safeguarding necessary resources and associated capabilities. </li></ul></ul></ul><ul><ul><ul><li>Compliance : meeting the requirements of laws, regulations and contractual arrangements </li></ul></ul></ul><ul><ul><ul><li>Reliability : dependable integrity </li></ul></ul></ul>
  14. 14. Governance Measurements <ul><li>Input – An input measure evaluates what resources or activities are required to achieve </li></ul><ul><li>an objective, such as the number of employees certified to implement a system. </li></ul><ul><li>• Output – An output measure describes the level of work or services provided to achieve </li></ul><ul><li>an objective, such as number of help desk responses, or number of reports created. </li></ul><ul><li>• Outcome – Outcome measures describe the actual results of a system or program. These </li></ul><ul><li>generally relate to the intended purpose of the system or program, such as “to improve </li></ul><ul><li>organizational effectiveness.” Outcome measures can often summarize the results of </li></ul><ul><li>many actions into one defining statement. Of course, outcome measures may be harder to </li></ul><ul><li>define if they draw from a number of different sources of assessment (i.e. system </li></ul><ul><li>performance and customer satisfaction). </li></ul><ul><li>• Lag measures – These are measures that typically measure accomplishments after </li></ul><ul><li>completion. A lag measure is characterized by terminology such as project completed on </li></ul><ul><li>a specific date, customer satisfaction is 4.5 on a scale of 5 in a survey. </li></ul><ul><li>• Lead measures – These are performance drivers that typically measure progress toward </li></ul><ul><li>outcomes. A lead measure might be the level of traffic on the supply status web site. Increased usage might indicate that customers and dealers are using the system regularly and might foreshadow improved visibility of supply status. </li></ul>
  15. 15. Policy Library <ul><li>Adapt a policy library from proven industry models </li></ul><ul><ul><li>Coordinate with ISMS and IT policies libraries </li></ul></ul><ul><li>Three prominent industry models on governance in IS systems </li></ul><ul><ul><li>CoBIT: “ Control Objectives for Information and related Technology” </li></ul></ul><ul><ul><ul><li>Published by IT Governance Institute at </li></ul></ul></ul><ul><ul><ul><li>Model has 5 focus areas and 34 IT processes </li></ul></ul></ul><ul><ul><li>COSO: Committee of Sponsoring Organizations of the Treadway Commission </li></ul></ul><ul><ul><ul><li>Preferred model for SOx compliance </li></ul></ul></ul><ul><ul><ul><ul><li>Securities and Exchange Commission endorsed </li></ul></ul></ul></ul><ul><ul><ul><li>Main focus is on financial controls with IT as a tool </li></ul></ul></ul><ul><ul><li>ITIL: The Information Technology Infrastructure Library (ITIL) </li></ul></ul><ul><ul><ul><li>Sponsored by government of the United Kingdom </li></ul></ul></ul><ul><ul><ul><ul><li>runs a close second to CoBIT in the United States. </li></ul></ul></ul></ul><ul><ul><ul><li>It offers eight sets of management procedures in eight books: </li></ul></ul></ul><ul><ul><ul><ul><li>service delivery, service support, service management </li></ul></ul></ul></ul><ul><ul><ul><ul><li>ICT infrastructure management, software asset management </li></ul></ul></ul></ul><ul><ul><ul><ul><li>business perspective, security management and application management. </li></ul></ul></ul></ul>
  16. 16. Appendix: to-do list
  17. 17. Appendix: ITIL framework <ul><li>Background on the ITIL Framework Developed in the 1980s by the United Kingdom's Central Computer and Telecommunications Agency (CCTA) after realizing a lack of a methodical approach to the IT infrastructure, ITIL has since permeated Europe's business and service sector. The CCTA, now called the OGC (Office of Government Commerce), continues to work with ITIL by continuously enhancing it as well as creating new programs. </li></ul><ul><li>ITIL V3 is not a standard, but it is supported by a standard (ISO 20000) and a certification scheme from the International Standards Organization (ISO). Recently, however, global companies have begun importing the useful framework into their businesses in the U.S. and have been pleased with the results and feedback. The ITIL framework, generally referred to as a set of best practices for managing information technology services, ensures that companies have a system for meeting or anticipating a customer's needs. The most recent revision of the methodology, ITIL V3, was released in June 2007 and has steadily grown in popularity with U.S. companies. The Usefulness of the ITIL Cycle The ITIL V3 cycle, fed by Business Value, consists of Service Strategy, which spurs Service Operation, Service Design, and Service Transition. Encompassing the cycle is the Continual Service Improvement element. Many U.S. businesses working with the ITIL framework now understand the usefulness of the framework and how it can help manage business solutions and keep track of customer service. Service Strategy, sometimes referred to as the hub of ITIL V3, is used to establish a plan for providing customer service. From this point, three sets of processes work to turn these plans into action. Service Design develops and creates services to bolster the plan, and includes purchasing appropriate software or systems and tailoring them to the company's specific needs. When this new system of software is ready to use, Service Transition ensures that it is implemented correctly by performing control checks or tests. Service Operation processes requests from a company's customer base and addresses failures in the system. The largest part of ITIL is Continual Service Improvement, which is the process that constantly monitors and regulates services in addition to making improvements if needed. </li></ul><ul><li>Extracted from: ITIL V3 Arrives Alan Koch , </li></ul>