Business ProjectProject Progress Evaluation Feedback Form .docx

Business Project
Project Progress Evaluation
Feedback Form Week 3
Date:
__________________________________________________
Student Name:
__________________________________________________
__________________________________________________
Project Title: Effect Of Increasing Training Budget
Project Type: Business Research
Researchers:
Has a topic been chosen and a problem statement created?
Yes { } NO { }
Was the problem statement submitted in a 1-4 page paper that
includes an introduction to the topic with appropriate
documentation?
Yes { } No { }
Specifically, if any, needs additional content or rewriting to
create more clarity? What specific recommendations do you
have to help in this process?
_____________________________________________________
___________________
_____________________________________________________
___________________

_____________________________________________________
___________________
_____________________________________________________
___________________
What is your workable timetable that states specific objectives
and target completion dates for completing the final draft of the
plan? Write the timetable below:
_____________________________________________________
___________________
_____________________________________________________
___________________
_____________________________________________________
___________________
_____________________________________________________
___________________
Feedback Form #3 – Project Proposal and Plan
▼
THE UK’S LEADING PROVIDER OF EXPERT SERVICES
FOR IT PROFESSIONALS
NATIONAL COMPUTING CENTRE
IT Governance
Developing a successful governance strategy

A Best Practice guide for decision makers in IT
IT Governance
A Best Practice guide for decision makers in IT
The effective use of information technology is now an accepted
organisational imperative - for
all businesses, across all sectors - and the primary motivation;
improved communications and
commercial effectiveness. The swift pace of change in these
technologies has consigned many
established best practice approaches to the past. Today's IT
decision makers and business
managers face uncertainty - characterised by a lack of relevant,
practical, advice and standards
to guide them through this new business revolution.
Recognising the lack of available best practice guidance, the
National Computing Centre has
created the Best Practice Series to capture and define best
practice across the key aspects of
successful business.
Other Titles in the NCC Best Practice series:
IT Skills - Recruitment and Retention ISBN 0-85012-867-6

The New UK Data Protection Law ISBN 0-85012-868-4
Open Source - the UK opportunity ISBN 0-85012-874-9
Intellectual Property Rights - protecting your intellectual assets
ISBN 0-85012-872-2
Aligning IT with Business Strategy ISBN 0-85012-889-7
Enterprise Architecture - understanding the bigger picture ISBN
0-85012-884-6
IT Governance - developing a successful governance strategy
ISBN 0-85012-897-8
Security Management - implementing ISO 27000 ISBN 0-
85012-885-4
All title are available from NCC see the website for further
details www.ncc.co.uk
The National Computing Centre - generating best practice
1
IT Governance
Developing a Successful
Governance Strategy
A Best Practice Guide for Decision Makers in IT
IT Governance Developing a Successful Governance Strategy
2 3
Foreword
For organisational investment in IT to deliver full value, it is
recognised that IT has to be fully aligned to business strategies
and direction, key risks have to be identified and controlled,

and legislative and regulatory compliance demonstrated. IT
Governance covers this and more, and in light of recent
corporate failures, scandals and failure, enjoys a higher profile
today
than ever before.
Back in 2003, IMPACT launched an IT Governance Specialist
Development Group (SDG) to identify the issues that need to be
addressed and to share and further develop the practical
approaches to IT governance used in their organisations.
Over the past two years, heads of IT governance from Abbey,
Aon, Avis, Barclays, BOC, DfES, Eli Lilly, Learning & Skills
Council, Legal & General, NOMS, Royal Mail and TUI Group
have examined what they identified as the key topics and, with
the guidance of IT governance expert Gary Hardy, have defined
the good practices captured in this guide.
For further information on the IMPACT Programme, its
Professional Development Programme and the IT Governance
and
CobiT Specialist Development Group, please contact Elisabetta
Bucciarelli on 0207 842 7900 or email [email protected]
impact-sharing.com. The IMPACT Programme is a division of
the National Computing Centre.
The IMPACT Programme
International Press Centre
76 Shoe Lane
London EC4A 3JB
IT Governance
A Best Practice Guide for decision makers in IT
Published by

The National Computing Centre
Oxford House
Oxford Road
Manchester
M1 7ED
Website: www.ncc.co.uk
Tel: 0161 242 2121
Fax: 0161 242 2499
First published November 2005
Copyright © National Computing Centre 2005
ISBN: 0-85012-877-8
British Cataloguing in Publication
A CIP catalogue record for this book is available from the
British Library
Printed and bound in the UK
All rights reserved: no part of this publication may be
reproduced, stored in a retrieval system, or transmitted in any
form or by any means,
electronic, mechanical, photocopying, recording or otherwise
without either the prior written permission of the authors and
Publisher or as
permitted by the Copyright, Designs and Patents Act 1988.
Enquiries for such permissions should be made to the Publisher.
Disclaimer
Every care has been taken by the authors, and by the National
Computing Centre, and associated working groups, in the
preparation of this
publication, but no liability whatsoever can be accepted by the

authors or by National Computing Centre, or associated NCC
working groups,
for actions taken based on information contained in this
document.
All trademarks acknowledged.
2 3
1 IT Governance – The Business Case . . . . . . . . . . . 4
1 . 1 W h y i s I T G o v e r n a n c e i m p o r t a n t ? . . .
. . . . . . . 5
1 . 2 W h a t d o e s I T G o v e r n a n c e c o v e r ? . . . .
. . . . . . 6
1 . 3 W h a t a r e t h e b e n e f i t s ? . . . . . . . . . . .
. . . . . . 6
1 . 4 W h a t i s I T G o v e r n a n c e b e s t p r a c t i c e ?
. . . . . . . 7
2 Performance Measurement . . . . . . . . . . . . . . . . .
. 9
2 . 1 W h y i s p e r f o r m a n c e m e a s u r e m e n t i m p
o r t a n t ? . 9
2 . 2 W h a t d o e s p e r f o r m a n c e m e a s u r e m e n t
c o v e r ? . 1 0
2 . 3 W h o a r e t h e s t a k e h o l d e r s a n d w h a t a r
e
t h e i r r e q u i r e m e n t s ? . . . . . . . . . . . . . . . .
. . . . 11
2 . 4 W h a t s h o u l d w e m e a s u r e ? . . . . . . . . .
. . . . . . 1 2

2 . 5 W h a t i s b e s t p r a c t i c e ? . . . . . . . . . . . .
. . . . . . 1 2
3 Implementation Roadmap . . . . . . . . . . . . . . . . . .
. 1 4
3 . 1 G o a l s a n d s u c c e s s c r i t e r i a . . . . . . . .
. . . . . . . 1 4
3 . 2 H o w t o g e t s t a r t e d . . . . . . . . . . . . . . .
. . . . . 1 5
3 . 3 W h o n e e d s t o b e i n v o l v e d a n d w h a t a r
e t h e i r
r o l e s a n d r e s p o n s i b i l i t i e s ? . . . . . . . . . .
. . . . . 1 6
4 Communication Strategy & Culture . . . . . . . . . . . . .
1 8
4 . 1 W h o d o w e n e e d t o i n f l u e n c e ? . . . . . .
. . . . . . 1 8
4 . 2 W h a t a r e t h e k e y m e s s a g e s ? . . . . . . . .
. . . . . 1 9
4 . 3 C o m m u n i c a t i o n b e s t p r a c t i c e s . . . . .
. . . . . . . 2 0
4 . 4 D e v e l o p i n g a n i n f l u e n c i n g s t r a t e g y .
. . . . . . . . 2 0
4 . 5 C h a n g e r o a d m a p . . . . . . . . . . . . . . . .
. . . . . 2 2
5 Capability Maturity & Assessment . . . . . . . . . . . . .
. 2 3
5 . 1 W h y I T c a p a b i l i t y i s i m p o r t a n t . . . . .
. . . . . . . 2 3
5 . 2 H o w t o m e a s u r e I T c a p a b i l i t y . . . . . .
. . . . . . . 2 4
5 . 3 S e t t i n g m a t u r i t y t a r g e t s a n d c o n s i d e r
i n g

i m p r o v e m e n t s . . . . . . . . . . . . . . . . . . . . .
. . . 2 5
5 . 4 R o a d m a p f o r s u s t a i n i n g t h e a p p r o a c h
. . . . . . . 2 5
5 . 5 S e l f a s s e s s m e n t t o o l . . . . . . . . . . . . .
. . . . . . 2 6
6 Risk Management . . . . . . . . . . . . . . . . . . . . .
. . . . 2 8
6 . 1 W h a t a r e t h e r i s k s ? . . . . . . . . . . . . . .
. . . . . . 2 8
6 . 2 W h a t i s t h e b e s t a p p r o a c h f o r r i s k a n a
l y s i s
a n d m a n a g e m e n t ? . . . . . . . . . . . . . . . . . .
. . 2 9
6 . 3 U s i n g s t a n d a r d s a n d b e s t p r a c t i c e s –
i s c e r t i f i c a t i o n u s e f u l ? . . . . . . . . . . . . .
. . . . . 3 0
6 . 4 W h a t a r e t h e r o l e s o f m a n a g e m e n t , s t a
f f
a n d a u d i t o r s ? . . . . . . . . . . . . . . . . . . . . .
. . . 3 1
6 . 5 W h o n e e d s t o b e c o m p e t e n t ? . . . . . . .
. . . . . . 3 1
6 . 6 W h a t c o m p e t e n c e i s r e q u i r e d ? . . . . . .
. . . . . . 3 2
6 . 7 H o w t o o b t a i n , d e v e l o p , r e t a i n a n d v e
r i f y
c o m p e t e n c e . . . . . . . . . . . . . . . . . . . . . .
. . . 3 3
6 . 8 W h e n t o s o u r c e c o m p e t e n c e f r o m o u t s

i d e . . . . 3 5
6 . 9 K e y l e a r n i n g p o i n t s . . . . . . . . . . . . .
. . . . . . . 3 5
7 Supplier Governance . . . . . . . . . . . . . . . . . . . .
. . . . 3 7
7 . 1 W h y i s s u p p l i e r g o v e r n a n c e i m p o r t a n
t ? . . . . . . 3 7
7 . 2 T h e c u s t o m e r ’s r o l e . . . . . . . . . . . . . .
. . . . . 3 8
7 . 3 H o w b e s t t o s e l e c t a s u p p l i e r . . . . . .
. . . . . . . 4 0
7 . 4 T h e c u s t o m e r / s u p p l i e r r e l a t i o n s h i p .
. . . . . . . . 4 0
7 . 5 S e r v i c e m a n a g e m e n t t e c h n i q u e s a n d S
L A S . . . 4 1
7 . 6 T h e s u p p l i e r / o u t s o u r c i n g g o v e r n a n c e
l i f e c y c l e . 4 2
8 IT & Audit Working Together and Using CobiT . . . . . 4 3
8 . 1 I n t r o d u c t i o n t o C o b i T . . . . . . . . . . . .
. . . . . . 4 3
8 . 2 H o w i s C o b i T b e i n g u s e d ? . . . . . . . . .
. . . . . . 4 4
8 . 3 W h a t a r e t h e r o l e s o f I T a n d a u d i t f o r
I T G o v e r n a n c e ? . . . . . . . . . . . . . . . . . . .
. . . 4 5
8 . 4 H o w c a n I T a n d i n t e r n a l a u d i t w o r k b e
t t e r
t o g e t h e r ? . . . . . . . . . . . . . . . . . . . . . . . .
. . . 4 5
9 Information Security Governance . . . . . . . . . . . . . .
4 8

9 . 1 B a c k g r o u n d . . . . . . . . . . . . . . . . . . .
. . . . . . 4 8
9 . 2 W h a t i s i n f o r m a t i o n s e c u r i t y ? . . . . .
. . . . . . . . 4 9
9 . 3 W h e r e t o f o c u s . . . . . . . . . . . . . . . . .
. . . . . . 5 0
9 . 4 R o l e s a n d r e s p o n s i b i l i t i e s . . . . . . . .
. . . . . . . 5 0
9 . 5 A c t i o n p l a n n i n g a n d b e s t p r a c t i c e . . .
. . . . . . . 5 2
10 Legal & Regulatory Aspects of IT Governance . . . . . 5 3
1 0 . 1 L e g a l a n d r e g u l a t o r y f a c t o r s a f f e c t i
n g
I T G o v e r n a n c e . . . . . . . . . . . . . . . . . . . .
. . . 5 3
1 0 . 2 R o l e s a n d r e s p o n s i b i l i t i e s . . . . . . .
. . . . . . . . 5 4
1 0 . 3 B e s t a p p r o a c h t o c o m p l i a n c e . . . . . .
. . . . . . . 5 5
1 0 . 4 W h a t I T h a s t o d o . . . . . . . . . . . . . . .
. . . . . . 5 6
1 0 . 5 D e a l i n g w i t h t h i r d p a r t i e s . . . . . . .
. . . . . . . . . 5 8
1 0 . 6 C r i t i c a l s u c c e s s f a c t o r s . . . . . . . . .
. . . . . . . . 5 9
11 Architecture Governance . . . . . . . . . . . . . . . . .
. . . 6 0
11 . 1 W h y i s a r c h i t e c t u r e g o v e r n a n c e i m p
o r t a n t ? . . . 6 0
11 . 2 W h a t a r e t h e o b j e c t i v e s o f a r c h i t e c t
u r e
g o v e r n a n c e ? . . . . . . . . . . . . . . . . . . . . . .

. . 6 1
12 Managing the IT Investment . . . . . . . . . . . . . . . .
. . 6 3
1 2 . 1 W h y i s m a n a g i n g t h e I T i n v e s t m e n t i
m p o r t a n t ? 6 3
1 2 . 2 P o r t f o l i o m a n a g e m e n t . . . . . . . . . . .
. . . . . . . 6 4
1 2 . 3 B e n e f i t s m a n a g e m e n t . . . . . . . . . . .
. . . . . . . 6 5
1 2 . 4 M e a s u r i n g i n v e s t m e n t p e r f o r m a n c e .
. . . . . . . 6 5
1 2 . 5 I m p r o v e v a l u e d e l i v e r y a n d R O I . . .
. . . . . . . . 6 6
1 2 . 6 M e a s u r i n g a n d c o n t r o l l i n g I T o p e r a t
i o n a l c o s t s 6 6
1 2 . 7 P r o j e c t r i s k m a n a g e m e n t . . . . . . . . .
. . . . . . . 6 6
13 Success Factors . . . . . . . . . . . . . . . . . . . . . .
. . . . 6 7
Contents
4 5
1 IT Governance – The Business Case
1.1 Why is IT Governance important? . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
1.2 What does IT Governance cover? . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
1.3 What are the benefits? . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 What is IT Governance best practice? . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
The guide focuses on 12 key topics selected by the group
because of their importance to effective IT governance:
T h e b u s i n e s s c a s e – T h e o r g a n i s a t i o n n e e
d s t o u n d e r s t a n d t h e v a l u e p r o p o s i t i o n
P e r f o r m a n c e m e a s u r e m e n t – I s t h e s h i p “
o n c o u r s e ” ?
I m p l e m e n t a t i o n r o a d m a p – H o w t o s t a r t –
W h a t p a t h t o f o l l o w
C o m m u n i c a t i o n s – H o w t o e x p l a i n t h e o b j
e c t i v e s a n d c h a n g e t h e c u l t u r e
C a p a b i l i t y a s s e s s m e n t – F i n d i n g o u t t h e
t r u e c u r r e n t s t a t e o f I T g o v e r n a n c e
R i s k m a n a g e m e n t – W h a t r i s k s e x i s t a n d
h o w t o m a k e s u r e t h e y a r e d e a l t w i t h
S u p p l i e r g o v e r n a n c e – E x t e r n a l p a r t i e s p
l a y a b i g r o l e a n d m u s t b e i n c l u d e d
I T a n d a u d i t w o r k i n g t o g e t h e r – H o w t o c
o - o p e r a t e f o r a c o m m o n g o a l
I n f o r m a t i o n s e c u r i t y – A k e y t o p i c i n t o d
a y ’s n e t w o r k e d e n v i r o n m e n t
L e g a l a n d r e g u l a t o r y a s p e c t s – C o m p l i a n
c e i s a g l o b a l c o n c e r n
A r c h i t e c t u r e s – T h e f o u n d a t i o n f o r e f f e c
t i v e t e c h n i c a l s o l u t i o n s
M a n a g i n g i n v e s t m e n t s – E n s u r i n g v a l u e i
s d e l i v e r e d a n d b e n e f i t s r e a l i s e d
Implementation of this guidance, or indeed any IT best practice,
should be consistent with your organisation’s management
style and the way your organisation deals with risk management
and delivery of IT value. Please share these ideas with your

business users, external service providers, and auditors, since to
realise their full value, all stakeholders of IT services should
be involved.
All analysts currently agree that probably the biggest risk and
concern to top management today is failing to align IT to real
business needs, and a failure to deliver, or be seen to be
delivering, value to the business. Since IT can have such a
dramatic
effect on business performance and competitiveness, a failure to
manage IT effectively can have a very serious impact on the
business as a whole.
Corporate Governance generally has taken on even greater
significance. It is being recognised that IT has a pivotal role to
play
in improving corporate governance practices, because critical
business processes are usually automated and directors rely on
information provided by IT systems for their decision making.
With the growth of direct connection between organisations and
their suppliers and customers, and more and more focus on how
IT can be used to add value to business strategy, the need
to effectively manage IT resources and avoid IT failures and
poor performance has never been greater.
The current climate of cost reduction and budget restriction has
resulted in new norm – there is an expectation that IT
resources should always be used as efficiently as possible and
that steps are taken to organise these IT resources ready for
the next cycle of growth and new IT developments. A key
aspect of these factors is the increasing use of third party
service
providers and the need to manage these suppliers properly to
avoid costly and damaging service failures.
This briefing provides a high level set of business arguments

for IT Governance. It also explains how an IT Governance
initiative can enable business and IT executives to:
B e s u r e t h a t t h a t t h e y a r e a w a r e o f a l l I T
r e l a t e d r i s k s l i k e l y t o h a v e a n i m p a c t o n
t h e i r o r g a n i s a t i o n ;
K n o w h o w t o i m p r o v e t h e m a n a g e m e n t p r
o c e s s e s w i t h i n I T t o m a n a g e t h e s e r i s k s ;
E n s u r e t h e r e a r e m a n a g e a b l e r e l a t i o n s h i
p s w i t h s u p p l i e r s , s e r v i c e p r o v i d e r s a n d
w i t h t h e b u s i n e s s ( c u s t o m e r s ) ;
E n s u r e t h e r e i s a t r a n s p a r e n t a n d u n d e r s t
a n d a b l e c o m m u n i c a t i o n o f t h e s e I T
a c t i v i t i e s a n d m a n a g e m e n t p r o c e s s e s t o s
a t i s f y t h e B o a r d a n d o t h e r i n t e r e s t e d
s t a k e h o l d e r s .
4 5
IT Governance covers the culture, organisation, policies and
practices that provide this kind of oversight and transparency of
IT – IT Governance is part of a wider Corporate Governance
activity but with its own specific focus. The benefits of good IT
risk management, oversight and clear communication not only
reduce the cost and damage caused by IT failures – but also
engenders greater trust, teamwork and confidence in the use of
IT itself and the people trusted with IT services.
1.1 Why is IT Governance important?

IT Governance has become very topical for a number of
reasons:
I n t h e w a k e o f E n r o n a n d o t h e r c o r p o r a t e
s c a n d a l s , “ G o v e r n a n c e ” g e n e r a l l y h a s
t a k e n o n e v e n g r e a t e r s i g n i f i c a n c e . I T h a
s a p i v o t a l r o l e t o p l a y i n i m p r o v i n g
c o r p o r a t e g o v e r n a n c e p r a c t i c e s .
M a n a g e m e n t ’s a w a r e n e s s o f I T r e l a t e d r i
s k s h a s i n c r e a s e d .
T h e r e i s a f o c u s o n I T c o s t s i n a l l o r g a n i
s a t i o n s .
T h e r e i s a g r o w i n g r e a l i s a t i o n t h a t m o r e
m a n a g e m e n t c o m m i t m e n t i s n e e d e d t o
i m p r o v e t h e m a n a g e m e n t a n d c o n t r o l o f I
T a c t i v i t i e s .
IMPACT’s IT Governance Special Interest Group (SIG) has
examined these trends and found that the following issues drive
the need for IT Governance:
T h e r e i s a g e n e r a l l a c k o f a c c o u n t a b i l i t y
a n d n o t e n o u g h s h a r e d o w n e r s h i p
a n d c l a r i t y o f r e s p o n s i b i l i t i e s f o r I T s e r
v i c e s a n d p r o j e c t s . T h e c o m m u n i c a t i o n
b e t w e e n c u s t o m e r s ( I T u s e r s ) a n d p r o v i d
e r s h a s t o i m p r o v e a n d b e b a s e d o n j o i n t
a c c o u n t a b i l i t y f o r I T i n i t i a t i v e s .
T h e r e i s a p o t e n t i a l l y w i d e n i n g g a p b e t w
e e n w h a t I T d e p a r t m e n t s t h i n k t h e b u s i n e
s s
r e q u i r e s a n d w h a t t h e b u s i n e s s t h i n k s t h e
I T d e p a r t m e n t i s a b l e t o d e l i v e r.

O r g a n i s a t i o n s n e e d t o o b t a i n a b e t t e r u n
d e r s t a n d i n g o f t h e v a l u e d e l i v e r e d b y I T,
b o t h i n t e r n a l l y a n d f r o m e x t e r n a l s u p p l i
e r s . M e a s u r e s a r e r e q u i r e d i n b u s i n e s s ( t
h e
c u s t o m e r ’s ) t e r m s t o a c h i e v e t h i s e n d .
To p m a n a g e m e n t w a n t s t o u n d e r s t a n d “ h o
w i s m y o r g a n i s a t i o n d o i n g w i t h I T i n
c o m p a r i s o n w i t h o t h e r p e e r g r o u p s ? ”
M a n a g e m e n t n e e d s t o u n d e r s t a n d w h e t h e
r t h e i n f r a s t r u c t u r e u n d e r p i n n i n g t o d a y ’s
a n d t o m o r r o w ’s I T ( t e c h n o l o g y, p e o p l e , p
r o c e s s e s ) i s c a p a b l e o f s u p p o r t i n g
e x p e c t e d b u s i n e s s n e e d s .
B e c a u s e o r g a n i s a t i o n s a r e r e l y i n g m o r e
a n d m o r e o n I T, m a n a g e m e n t n e e d s t o b e
m o r e a w a r e o f c r i t i c a l I T r i s k s a n d w h e t h
e r t h e y a r e b e i n g m a n a g e d . F u r t h e r m o r e ,
i f t h e r e i s a l a c k o f c l a r i t y a n d t r a n s p a r e
n c y w h e n t a k i n g s i g n i f i c a n t I T d e c i s i o n s
,
t h i s c a n l e a d t o r e l u c t a n c e t o t a k e r i s k s a
n d a f a i l u r e t o s e i z e t e c h n o l o g y
o p p o r t u n i t i e s .
A n d f i n a l l y, t h e r e i s a r e a l i s a t i o n t h a t b e
c a u s e I T i s c o m p l e x a n d h a s i t s o w n f a s t
c h a n g i n g a n d u n i q u e c o n d i t i o n s , t h e n e e d
t o a p p l y s o u n d m a n a g e m e n t d i s c i p l i n e s
a n d c o n t r o l s i s e v e n g r e a t e r.
Stakeholders include:

To p l e v e l b u s i n e s s l e a d e r s s u c h a s t h e B o
a r d , E x e c u t i v e , n o n - E x e c s , a n d e s p e c i a l l
y
h e a d s o f F i n a n c e , O p e r a t i o n s a n d I T.
T h o s e t h a t h a v e a r e s p o n s i b i l i t y f o r i n v e
s t o r a n d p u b l i c r e l a t i o n s .
I n t e r n a l a n d e x t e r n a l a u d i t o r s a n d r e g u l
a t o r s .
M i d d l e l e v e l b u s i n e s s a n d I T m a n a g e m e n
t .
K e y b u s i n e s s p a r t n e r s a n d s u p p l i e r s .
S h a r e h o l d e r s .
C u s t o m e r s .
Concerns they typically have include:
Av a i l a b i l i t y, s e c u r i t y a n d c o n t i n u i t y o f I
T s e r v i c e s .
C o s t s a n d m e a s u r a b l e r e t u r n s o n i n v e s t m
e n t s .
Q u a l i t y a n d r e l i a b i l i t y o f s e r v i c e – n o e
m b a r r a s s m e n t s .
I T n o t a p p e a r i n g t o r e s p o n d t o t h e r e a l n
e e d s o f t h e b u s i n e s s .
I d e n t i f i c a t i o n a n d m a n a g e m e n t o f I T r e l
a t e d r i s k s t o t h e b u s i n e s s .
IT Governance – The Business Case1
6 7

C a p a b i l i t y a n d s k i l l s o f h u m a n r e s o u r c e s
.
C o m p l i a n c e t o l e g a l , r e g u l a t o r y a n d c o n t
r a c t u a l r e q u i r e m e n t s .
R e s p o n s i v e n e s s a n d n i m b l e n e s s t o c h a n g
i n g c o n d i t i o n s .
1.2 What does IT Governance cover?
IT Governance is a relatively new concept as a defined
discipline and is still evolving.
IT Governance is not just an IT issue or only of interest to the
IT function. In its broadest sense it is a part of the overall
governance of an entity, but with a specific focus on improving
the management and control of Information Technology for the
benefit of the primary stakeholders. Ultimately it is the
responsibility of the Board of Directors to ensure that IT along
with other
critical activities is adequately governed. Although the
principles are not new, actual implementation requires new
thinking
because of the special nature of IT.
IT Governance spans the culture, organisation, policy and
practices that provide for IT management and control across
five key areas1:
A l i g n m e n t – P r o v i d e f o r s t r a t e g i c d i r e c t
i o n o f I T a n d t h e a l i g n m e n t o f I T a n d t h e
b u s i n e s s w i t h r e s p e c t t o s e r v i c e s a n d p r o
j e c t s .
Va l u e D e l i ve r y – C o n f i r m t h a t t h e I T / B u s
i n e s s o r g a n i s a t i o n i s d e s i g n e d t o
d r i v e m a x i m u m b u s i n e s s v a l u e f r o m I T. O

v e r s e e t h e d e l i v e r y o f v a l u e b y I T t o t h e
b u s i n e s s , a n d a s s e s s R O I .
R i s k M a n a ge m e n t – A s c e r t a i n t h a t p r o c e s
s e s a r e i n p l a c e t o e n s u r e t h a t r i s k s
h a v e b e e n a d e q u a t e l y m a n a g e d . I n c l u d e a
s s e s s m e n t o f t h e r i s k a s p e c t s o f I T
i n v e s t m e n t s .
Re s o u r c e M a n a ge m e n t – P r o v i d e h i g h - l e v
e l d i r e c t i o n f o r s o u r c i n g a n d u s e o f I T
r e s o u r c e s . O v e r s e e t h e a g g r e g a t e f u n d i n
g o f I T a t e n t e r p r i s e l e v e l . E n s u r e t h e r e i
s
a n a d e q u a t e I T c a p a b i l i t y a n d i n f r a s t r u c t
u r e t o s u p p o r t c u r r e n t a n d e x p e c t e d f u t u r
e
b u s i n e s s r e q u i r e m e n t s .
Pe r fo r m a n c e M e a s u r e m e n t – Ve r i f y s t r a t e
g i c c o m p l i a n c e , i . e . a c h i e v e m e n t
o f s t r a t e g i c I T o b j e c t i v e s . R e v i e w t h e m e
a s u r e m e n t o f I T p e r f o r m a n c e a n d t h e
c o n t r i b u t i o n o f I T t o t h e b u s i n e s s ( i . e . d
e l i v e r y o f p r o m i s e d b u s i n e s s v a l u e ) .
IT Governance is not a one-time exercise or something achieved
by a mandate or setting of rules. It requires a commitment
from the top of the organisation to instil a better way of dealing
with the management and control of IT. IT Governance is an
ongoing activity that requires a continuous improvement
mentality and responsiveness to the fast changing IT
environment.
IT Governance can be integrated within a wider Enterprise
Governance approach, and support the increasing legal and
regulatory requirements of Corporate Governance.

1.3 What are the benefits?
Investments are likely to be needed to improve and develop the
IT Governance areas that need attention. It is important
therefore, to begin with as good a definition as possible of the
potential benefits from such an initiative to help build a viable
business case. The expected benefits can then become the
project success criteria and be subsequently monitored.
The IMPACT IT Governance SIG has identified the following
main areas of benefit likely to arise from good IT Governance:
Transparency and Accountability
I m p r o v e d t r a n s p a r e n c y o f I T c o s t s , I T p r
o c e s s , I T p o r t f o l i o ( p r o j e c t s a n d s e r v i c e
s ) .
C l a r i f i e d d e c i s i o n - m a k i n g a c c o u n t a b i l i
t i e s a n d d e f i n i t i o n o f u s e r a n d p r o v i d e r
r e l a t i o n s h i p s .
Return on Investment/Stakeholder Value
I m p r o v e d u n d e r s t a n d i n g o f o v e r a l l I T c o
s t s a n d t h e i r i n p u t t o R O I c a s e s .
C o m b i n i n g f o c u s e d c o s t - c u t t i n g w i t h a n
a b i l i t y t o r e a s o n f o r i n v e s t m e n t .
S t a k e h o l d e r s a l l o w e d t o s e e I T r i s k / r e t u
r n s .
I m p r o v e d c o n t r i b u t i o n t o s t a k e h o l d e r r e
t u r n s .
1. Board Briefing on IT Governance, 2nd Edition, the IT
Governance Institute®.

6 7
E n h a n c e m e n t a n d p r o t e c t i o n o f r e p u t a t i o
n a n d i m a g e .
Opportunities and Partnerships
P r o v i d e r o u t e t o r e a l i s e o p p o r t u n i t i e s t h
a t m i g h t n o t r e c e i v e a t t e n t i o n o r
s p o n s o r s h i p .
P o s i t i o n i n g o f I T a s a b u s i n e s s p a r t n e r (
a n d c l a r i f y i n g w h a t s o r t o f b u s i n e s s p a r t
n e r
I T i s ) .
F a c i l i t a t e j o i n t v e n t u r e s w i t h o t h e r c o m
p a n i e s .
F a c i l i t a t e m o r e b u s i n e s s l i k e r e l a t i o n s h i
p s w i t h k e y I T p a r t n e r s ( v e n d o r s a n d
s u p p l i e r s ) .
A c h i e v e a c o n s i s t e n t a p p r o a c h t o t a k i n g
r i s k s .
E n a b l e s I T p a r t i c i p a t i o n i n b u s i n e s s s t r
a t e g y ( w h i c h i s t h e n r e f l e c t e d i n I T s t r a t
e g y )
a n d v i c e v e r s a .
I m p r o v e r e s p o n s i v e n e s s t o m a r k e t c h a l l e
n g e s a n d o p p o r t u n i t i e s .

Performance Improvement
A c h i e v e c l e a r i d e n t i f i c a t i o n o f w h e t h e r
a n I T s e r v i c e o r p r o j e c t s u p p o r t s “ b u s i n e
s s
a s u s u a l ” o r i s i n t e n d e d t o p r o v i d e f u t u r e
a d d e d v a l u e .
I n c r e a s e d t r a n s p a r e n c y w i l l r a i s e t h e b a
r f o r p e r f o r m a n c e , a n d a d v e r t i s e t h a t t h e
b a r s h o u l d b e c o n t i n u o u s l y r a i s e d .
A f o c u s o n p e r f o r m a n c e i m p r o v e m e n t w i l
l l e a d t o a t t a i n m e n t o f b e s t p r a c t i c e s .
Av o i d u n n e c e s s a r y e x p e n d i t u r e s – e x p e n
d i t u r e s a r e d e m o n s t r a b l y m a t c h e d t o
b u s i n e s s g o a l s .
I n c r e a s e a b i l i t y t o b e n c h m a r k .
External Compliance
E n a b l e s a n i n t e g r a t e d a p p r o a c h t o m e e t i
n g e x t e r n a l l e g a l a n d r e g u l a t o r y
r e q u i r e m e n t s .
1.4 What is IT Governance best practice?
Experiences gained by IMPACT SIG members have identified a
number of practical organisational and process issues that
need to be addressed when implementing IT Governance. This
has enabled the Group to recommend the following best
practices (critical success factors) when planning IT
Governance initiatives:

An enterprise wide approach should be adopted
T h e b u s i n e s s a n d I T m u s t w o r k t o g e t h e r t
o d e f i n e a n d c o n t r o l r e q u i r e m e n t s .
I T w i l l n e e d t o d e v e l o p a c o n t r o l m o d e l a
p p l i c a b l e t o a l l b u s i n e s s u n i t s / d i v i s i o n s
.
A c o m m i t t e e a p p r o a c h i s r e c o m m e n d e d f o
r s e t t i n g , a g r e e i n g , a n d m o n i t o r i n g
d i r e c t i o n / p o l i c y e t c .
A s h a r e d , c o h e s i v e v i e w o f I T G o v e r n a n c
e i s n e e d e d a c r o s s t h e e n t e r p r i s e b a s e d o
n
a c o m m o n l a n g u a g e .
T h e r e s h o u l d b e a c l e a r u n d e r s t a n d i n g ( a
n d a p p r o v a l ) b y s t a k e h o l d e r s o f w h a t i s
w i t h i n t h e s c o p e o f I T G o v e r n a n c e .
Top level commitment backed up by clear accountability is a
necessity
I T G o v e r n a n c e n e e d s a m a n d a t e a n d d i r e c
t i o n f r o m B o a r d / E x e c u t i v e l e v e l
m a n a g e m e n t i f i t i s t o s u c c e e d i n p r a c t i c
e .
M a k e s u r e m a n a g e m e n t r e s p o n s i b i l i t i e s
a n d a c c o u n t a b i l i t i e s i n t h e b u s i n e s s a s w
e l l
a s I T h a v e b e e n d e f i n e d .
An agreed IT Governance and control framework is required

IT Governance – The Business Case1
8 9
A l t h o u g h i t m a y g e n e r a t e c h a l l e n g e s a n d
p u s h b a c k , a n d w i l l r e q u i r e a c o n s e n s u s ,
a n a g r e e d f r a m e w o r k f o r d e f i n i n g I T p r o c
e s s e s a n d t h e c o n t r o l s r e q u i r e d t o m a n a g
e
t h e m m u s t b e d e f i n e d f o r I T G o v e r n a n c e t
o f u n c t i o n e f f e c t i v e l y.
T h e p r o c e s s e s f o r I T G o v e r n a n c e n e e d t o
b e i n t e g r a t e d w i t h o t h e r e n t e r p r i s e w i d e
g o v e r n a n c e p r a c t i c e s s o t h a t I T G o v e r n a
n c e d o e s n o t b e c o m e j u s t a n I T o w n e d
p r o c e s s .
T h e f r a m e w o r k n e e d s t o b e s u p p o r t e d b y
a n e f f e c t i v e c o m m u n i c a t i o n a n d a w a r e n e
s s
c a m p a i g n s o t h a t o b j e c t i v e s a r e u n d e r s t o
o d a n d t h e p r a c t i c e s a r e c o m p l i e d w i t h .
I n c e n t i v e s s h o u l d b e c o n s i d e r e d t o m o t i
v a t e a d h e r e n c e t o t h e f r a m e w o r k .
P a y a t t e n t i o n t o d e v o l v e d d e c e n t r a l i s e d
I T o r g a n i s a t i o n s t o e n s u r e a g o o d b a l a n c
e
b e t w e e n c e n t r a l l y d r i v e n p o l i c y a n d l o c a
l l y i m p l e m e n t e d p r a c t i c e s .

Av o i d t o o m u c h b u r e a u c r a c y.
Trust needs to be gained for the IT function (in house and/or
external)
F o r I T G o v e r n a n c e t o w o r k t h e s u p p l i e r s
o f I T s e r v i c e s a n d k n o w - h o w n e e d t o b e
s e e n a s p r o f e s s i o n a l , e x p e r t a n d a l i g n e d
t o c u s t o m e r r e q u i r e m e n t s . Tr u s t h a s t o b e
d e v e l o p e d b y w h a t e v e r m e a n s i n c l u d i n g a
w a r e n e s s p r o g r a m m e s , j o i n t w o r k s h o p s ,
a n d t h e I T D i r e c t o r a c t i n g a s a b r i d g e b e t
w e e n t h e b u s i n e s s a n d I T.
Measurement systems will ensure objectives are owned and
monitored
C r e a t i o n o f a n I T s c o r e c a r d w i l l u n d e r p i
n a n d r e i n f o r c e a c h i e v e m e n t o f I T
G o v e r n a n c e o b j e c t i v e s .
C r e a t i o n o f a n i n i t i a l s e t o f m e a s u r e s c a
n b e a v e r y g o o d w a y t o r a i s e a w a r e n e s s
a n d i n i t i a t e a n I T G o v e r n a n c e p r o g r a m m e
.
T h e m e a s u r e s u s e d m u s t b e i n b u s i n e s s t e
r m s a n d b e a p p r o v e d b y s t a k e h o l d e r s .
Focus on costs
I t i s l i k e l y t h a t t h e r e w i l l b e o p p o r t u n i t i
e s t o m a k e f i n a n c i a l s a v i n g s a s a
c o n s e q u e n c e o f i m p l e m e n t i n g i m p r o v e d I
T G o v e r n a n c e . T h e s e w i l l h e l p t o g a i n
s u p p o r t f o r i m p r o v e m e n t i n i t i a t i v e s .

8 9
2 Performance Measurement
2.1 Why is performance measurement important? . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 What does performance measurement cover? . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Who are the stakeholders and what are their requirements? .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4 What should we measure? . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.5 What’s best practice? . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
One of the greatest challenges faced by those trying to manage
IT in today’s fast moving economy and complex technical
environment is knowing whether the “ship is on course” and
being able to predict and anticipate failures before it is too
late. Like driving a car or steering a ship, good instruments are
essential. The use of measures to help steer the IT function
has for many years been a challenge that few appear to have
successfully addressed, which is why the expression “it’s like
driving a car with a blacked out windscreen and no instruments”
is often used. If it is difficult for those literate in technology
and relatively close the IT function, then it is even worse for
the end customer who finds technical jargon a smokescreen and
lack of information relevant to his business a major headache.
There is no doubt that a practical and effective way to measure
IT performance is an essential part of any IT Governance
programme, just as transparency and reliability of financial

results is a Corporate Governance necessity. Performance
management is important because it verifies the achievement of
strategic IT objectives and provides for a review of IT
performance and the contribution of IT to the business (i.e.
delivery of promised business value). It is also important in
providing a transparent assessment of IT’s capability and an
early warning system for risks and pitfalls that might otherwise
have been missed. Performance measurement provides
transparency of IT related costs, which increasingly account for
a
very significant proportion of most organisations’ operating
expenses.
Stakeholders play a key part in IT Governance, since at the
heart of the governance responsibilities of setting strategy,
managing risks, allocating resources, delivering value and
measuring performance, are the stakeholder values, which drive
the enterprise and IT strategy.
For performance measurement to be successful, it is important
to understand who the stakeholders are and what their
specific requirements and drivers are so that the performance
measurements will be meaningful to them. An IT Governance
best practice is the approval of measures by stakeholders. A
performance measurement system is only effective if it serves
to communicate to all who need to know what is important and
then motivates positive action and alignment to common
objectives. The measures are not an end in themselves but a
means to take corrective action and to learn from real
experiences. Concise and understandable communication and
clear accountabilities are therefore critical success factors if
measures are to be turned into effective actions.
“If you can’t measure it, you can’t manage it”
2.1 Why is performance measurement important?

“Teams that don’t keep score are only practising.”
Tom Malone, President Milliken & Company
Performance measurement is a key component of IT
Governance. It verifies the achievement of strategic IT
objectives and
provides for a review of IT performance and the contribution of
IT to the business (i.e. delivery of promised business value).
Performance measurement supports the other key elements2 of
IT Governance by:
A l i g n m e n t – m o n i t o r i n g t h e s t r a t e g i c d i r
e c t i o n o f I T a n d t h e a l i g n m e n t o f I T a n d t
h e
b u s i n e s s .
Va l u e D e l i v e r y – a s s e s s i n g w h e t h e r t h e I
T / B u s i n e s s o r g a n i s a t i o n i s p r o v i d i n g
b u s i n e s s v a l u e f r o m I T a n d a s s e s s i n g R O I
.
R i s k M a n a g e m e n t – m o n i t o r i n g w h e t h e r r
i s k s a r e b e i n g i d e n t i f i e d a n d m a n a g e d a n
d
m e a s u r i n g t h e c o s t a n d b e n e f i t o f r i s k m a
n a g e m e n t i n v e s t m e n t s .
Performance Measurement2

10 11
R e s o u r c e M a n a g e m e n t – m e a s u r i n g t h e e f
f e c t i v e n e s s o f s o u r c i n g a n d u s e o f
I T r e s o u r c e s , t h e a g g r e g a t e f u n d i n g o f I T
a t e n t e r p r i s e l e v e l , a n d m e a s u r i n g I T
c a p a b i l i t y a n d i n f r a s t r u c t u r e c o m p a r e d t
o c u r r e n t a n d e x p e c t e d f u t u r e b u s i n e s s
r e q u i r e m e n t s .
Performance measures are required to ensure that the outcomes
of IT activities are aligned to the customer’s goals. Internal IT
process measures are required to ensure that the processes are
capable of delivering the intended outcomes cost-effectively.
Advanced performance measurement enables the measurement
of key aspects of IT capability such as creativity and agility
(new ideas, speed of delivery and success of a change
programme), development of new solutions, ability to operate
reliable
and secure services in an increasingly demanding IT technical
environment, and the development of human resources and
skills.
Performance measurement may also be a vital tool when
assessing mergers and acquisitions to allow earlier insight into
IT strengths and gaps. The introduction of a performance
measurement system focused on a few key measures can be an
excellent way to kick-start an IT Governance initiative,
providing, perhaps for the first time, transparency of critical
activities
and a way to bridge the communication gap between IT and its
customers.
2.2 What does performance measurement cover?

Performance measures are the “vital signs” of an organisation.
They quantify how well the activities within a process or the
outputs of a process achieve a specific goal. The measures tell
people what and how they’re doing as part of the whole.
They communicate what’s important throughout the
organisation: strategy from top management down, process
results from
the lower levels up, and control and improvement within the
process. Only with a consistent view of the “vital signs” can
everyone work toward implementing the strategy, achieving the
goals, and improving the organisation (Vital Signs, by Steven
M. Hronec).
An IT performance measurement system should help to:
F o c u s o n t h e c u s t o m e r t o i n c r e a s e c u s t o
m e r s a t i s f a c t i o n
I m p r o v e p r o c e s s e s s o p r o b l e m s a r e a n t i c
i p a t e d a n d p r e v e n t e d
U n d e r s t a n d a n d r e d u c e c o s t s
E n c o u r a g e a n d f a c i l i t a t e c h a n g e b y o b t a i
n i n g f a c t s a b o u t c u r r e n t s t a t e , d e s i r e d
s t a t e a n d t h e g a p t h a t n e e d s t o b e m e t
S e t r e a l i s t i c b e n c h m a r k s f o r c o m p a r i s o n
Effective performance measurement of IT will enable
management and other stakeholders to know whether or not IT
is
meeting its objectives. It provides a transparent and objective
communication mechanism, as long as the measures are
understandable by both the customers and the service providers.
The measures should address two aspects (The IT
Governance Institute’s CobiT Management Guidelines provides
example metrics for all IT processes and explains the
difference between Goal Indicators (KGIs) and Process

Indicators (KPIs)):
O u t c o m e f o c u s e d – i s I T m e e t i n g t h e o b j e
c t i v e s s e t b y t h e c u s t o m e r ?
P r o c e s s f o c u s e d – a r e t h e I T p r o c e s s e s o
p e r a t i n g e f f e c t i v e l y a n d l i k e l y t o l e a d t o
t h e c u s t o m e r o b j e c t i v e s b e i n g m e t ?
The IT Governance SIG recommends that performance
measures meet the following requirements to be successful:
D e f i n e d u s i n g a c o m m o n l a n g u a g e a p p r o p
r i a t e a n d u n d e r s t a n d a b l e f o r t h e
a u d i e n c e
A p p r o v e d b y t h e s t a k e h o l d e r s
I n k e e p i n g w i t h t h e c u l t u r e a n d s t y l e o f t
h e o r g a n i s a t i o n
B a s e d o n t a r g e t s d e r i v e d f r o m I T ’s o b j e c
t i v e s
C o n t a i n a m i x o f o b j e c t i v e a n d s u b j e c t i v
e m e a s u r e s
F l e x i b l e a n d r e s p o n s i v e t o c h a n g i n g p r i o
r i t i e s a n d r e q u i r e m e n t s
B a s e d o n e a s y t o c o l l e c t a c t u a l m e a s u r e
m e n t r e s u l t s
I n c l u d e b o t h p o s i t i v e m e a s u r e s ( t o m o t i
v a t e ) a n d n e g a t i v e m e a s u r e s ( t o c o r r e c t )
B a l a n c e d , i . e . m e a s u r i n g m o r e t h a n j u s t
f i n a n c i a l r e s u l t s . T h e B a l a n c e S c o r e c a r d
i s
r e c o m m e n d e d a s a n e f f e c t i v e a p p r o a c h p r
o v i d i n g f i n a n c i a l , c u s t o m e r, i n t e r n a l a n d
l e a r n i n g d i m e n s i o n s ( T h e B a l a n c e d S c o r e

c a r d , K a p l a n & N o r t o n )
L i m i t e d i n n u m b e r a n d f o c u s e d o n l y o n p r
i o r i t y a r e a s b u t s u f f i c i e n t t o s u p p o r t
d e c i s i o n m a k i n g ( p a s s e s t h e “ s o - w h a t ? ” t
e s t )
10 11
E a s y t o i n t e r p r e t ( e . g . r e p o r t i n g s h o u l d
b e v i s u a l u s i n g R A G o r h e a t m a p t e c h n i q u
e s )
a n d p e r m i t d r i l l i n g d o w n f o r m o r e d e t a i l
a n d e x a m i n a t i o n o f r o o t c a u s e s . A s c o r e c
a r d
i s s o m e t i m e s n o t a p p r o p r i a t e , e . g . f o r p r
o j e c t r e v i e w a n d p r i o r i t i s a t i o n o r d e t a i l
e d
a n a l y s i s ( w h e r e a g g r e g a t i o n d i s t o r t s o r c
o n f u s e s )
S h o w t r e n d s t o e n a b l e b a c k w a r d e x a m i n a
t i o n a n d f o r w a r d e x t r a p o l a t i o n
C o n s o l i d a t e d f o r h i e r a r c h i c a l r e p o r t i n g
S u p p o r t b e n c h m a r k i n g i n t e r n a l l y b e t w e e
n p e e r g r o u p s a n d e x t e r n a l l y w i t h b e s t
p r a c t i c e
I n t e g r a t e d i f p o s s i b l e w i t h a n y e x i s t i n g
b u s i n e s s l e v e l p e r f o r m a n c e m e a s u r e m e n t
s y s t e m

2.3 Who are the stakeholders and what are their requirements?
Stakeholders play a key part in IT Governance. At the heart of
the governance responsibilities of setting strategy, managing
risks, allocating resources, delivering value and measuring
performance, are the stakeholder values, which drive the
enterprise
and IT strategy. For performance measurement to be
successful, it is important to understand who the stakeholders
are and
what their specific requirements and drivers are so that the
performance measurements will be meaningful to them. An IT
Governance best practice is the approval of measures by
stakeholders (IT Governance Institute – Board Briefing on IT
Governance).
For the purposes of performance measurement, we have
classified stakeholders into three groups: investors, controllers
and
deliverers/providers with specific measurement interests and
requirements as follows:
Investors – (business management, business partners and IT
management)
I n t e r e s t s – t h e y p r o v i d e t h e f u n d i n g a n d
w a n t t o s e e a r e t u r n o n t h e i r i n v e s t m e n t
a n d a l i g n m e n t w i t h t h e i r s t r a t e g i c o b j e c t
i v e s
Re q u i r e m e n t s
- F i n a n c i a l – R O I , c o s t v. b u d g e t , p r o d u c
t i v i t y, b e n e f i t s r e a l i s a t i o n
- C u s t o m e r – s u r v e y s a n d f e e d b a c k ( s u b j
e c t i v e a s w e l l a s o b j e c t i v e ) , s t r a t e g i c

o b j e c t i v e s v. a c t u a l p r o j e c t s / a c t i v i t i e s
- P r o c e s s – c a p a b i l i t y b e n c h m a r k , p e r f o
r m a n c e e x c e p t i o n s , t r a n s f o r m a t i o n
c a p a b i l i t y a n d t a c t i c a l a g i l i t y
- L e a r n i n g – a t t r i t i o n , r e t e n t i o n , s k i l l p
r o f i l e , r e s o u r c e s h o r t f a l l , t r a i n i n g a n d
d e v e l o p m e n t
Controllers – (internal and external audit, risk and compliance
officers, finance, human resources, industry specific
regulators)
I n t e r e s t s – t h e y m o n i t o r r i s k a n d c o m p l i
a n c e a n d h a v e a n i n t e r e s t i n d u e p r o c e s s ,
r e g u l a t o r y a n d l e g a l r e q u i r e m e n t s , e v i d e
n c e o f g o v e r n a n c e a n d r i s k m a n a g e m e n t ,
a m o u n t o f r e w o r k / r e p e a t e f f o r t , a n d c o m
p l i a n c e w i t h s t r a t e g y
- F i n a n c i a l – l o s s e s , i n v e s t m e n t s i n c o n
t r o l i m p r o v e m e n t s
- C u s t o m e r – e x c e p t i o n s / b r e a c h e s , r i s k
m a n a g e m e n t , c o m p l i a n c e w i t h l e g i s l a t i o
n
a n d r e g u l a t i o n s
- P r o c e s s – c o n t r o l e f f e c t i v e n e s s , c o m p l
i a n c e
- L e a r n i n g – r i s k i d e n t i f i c a t i o n , r i s k p r e
v e n t i o n
Deliverers/Providers – (IT service and product suppliers, in-
house and outsourced, contract and procurement management

and staff involved in IT delivery and support)
I n t e r e s t s – t h e y n e e d t o m e e t c u s t o m e r e x
p e c t a t i o n s , a n d d e l i v e r i n a n e f f i c i e n t
a n d e f f e c t i v e w a y, p r e s e r v i n g a n d e n h a n c
i n g r e p u t a t i o n
- F i n a n c i a l – o p e r a t i o n a l a n d p r o j e c t c o
s t s , c o s t a l l o c a t i o n / r e c o v e r y, s e r v i c e
c r e d i t s , c o s t o p t i m i s a t i o n
- C u s t o m e r – p e r f o r m a n c e a g a i n s t S L A s ,
s a t i s f a c t i o n f e e d b a c k e . g . s u r v e y
r e s p o n s e s , c u s t o m e r r e t e n t i o n a n d g r o w t
h s t a t i s t i c s , e f f e c t i v e n e s s o f d e a l i n g
w i t h b u s i n e s s c h u r n
12 13
- P r o c e s s – i n t e r n a l i m p r o v e m e n t i n e f f i
c i e n c y a n d r i s k r e d u c t i o n , i n t e r n a l v.
o u t s o u r c e d e c i s i o n s u p p o r t
- L e a r n i n g – c a p a b i l i t y t o d e l i v e r, r e a d i
n e s s f o r n e w r e q u i r e m e n t s , t i m e t o m a r k e
t
f o r n e w i n i t i a t i v e s

2.4 What should we measure?
The ownership of measures and accountability for achieving
targets should be clear. Furthermore, ownership and the
collection of measurement data will not always be an IT
responsibility, e.g. measurement of customer-focused outcomes.
It
should therefore also be clear whose responsibility collection is.
Where appropriate, measures should be formalised in Service
Level Agreements (SLAs) based on service descriptions written
in a language and using terms meaningful to the customer.
For third party service providers an SLA should form part of the
contractual agreement so that performance measurement can
be backed up with contractual recourse in the event of
performance failure. To support IT Governance the following
top fifteen
areas to measure are recommended, with an indication of who
has a primary interest and therefore who should approve the
measures (figure 2.4)
2.5 What is best practice?
Experiences gained by the IMPACT SIG members have
identified a number of enablers and inhibitors that will assist in
the
achievement of Performance Measurement best practices when
supporting IT Governance. Since the Interest Group is not
primarily focused on performance measurement techniques we
are not attempting to provide best practice guidance on
measurement methods and/or tools.
In general, performance measurement should support this
classic control model (figure 2.5)
Area Investors Controllers Providers
Business & IT alignment √

Major project delivery performance (objectives, time and
budget) √ √
Overall financial performance (costs v. budgets) √ √ √
ROI for IT investments (business benefit) √
Status of critical risks √ √ √
Performance with respect to reliability and availability of
critical
services
√ √
Complaints (QOS) and customer perception √
Number of significant reactive fixes to errors √
SLA performance by third parties √ √
Relationships with suppliers (quality & value) √ √
Capability e.g. process maturity √
HR measures for people involved in IT activities √
Internal and external benchmarks √ √
Audit weaknesses √ √
Business continuity status √ √ √
Figure 2.4

12 13
Enablers
S u p p o r t a n d o w n e r s h i p o f p e r f o r m a n c e m
e a s u r e m e n t b y S t a k e h o l d e r s
M e a s u r e s t h a t a r e a p p r o v e d b y a n d m e a n i
n g f u l t o t h e S t a k e h o l d e r s
M e a s u r e s t h a t a l i g n w i t h a g r e e d I T o b j e c
t i v e s
M e a s u r e s t h a t f o c u s o n p r o c e s s e s c r i t i c a
l t o t h e s u c c e s s o f I T o b j e c t i v e s
M e a s u r e s t h a t a r e e a s y t o c o l l e c t a n d u n d
e r s t a n d
Ta r g e t s t h a t a r e c h a l l e n g i n g b u t a l s o a c h
i e v a b l e
M e a s u r e s t h a t a r e b a l a n c e d e . g . b a s e d o n
t h e B a l a n c e d S c o r e c a r d t e c h n i q u e
M e a s u r e m e n t r e p o r t s a n d s c o r e c a r d s t h a t
a r e e a s y t o i n t e r p r e t , w i t h e x p l a n a t i o n s
o f e x c e p t i o n s
W h e r e p o s s i b l e , m e a s u r e s s h o u l d b e a u t o
m a t e d
Inhibitors
To o m u c h f o c u s o n t e c h n i c a l m e a s u r e s ( e
s p e c i a l l y i f t h e y a r e n o t a l i g n e d t o I T
o b j e c t i v e s )
L a c k o f o w n e r s h i p a n d a c c o u n t a b i l i t y
M e a s u r e s w h i c h a r e n o t s t r a i g h t f o r w a r d

t o i n t e r p r e t o r e n c o u r a g e c o u n t e r- p r o d u c
t i v e
b e h a v i o u r ( c f . N a t i o n a l H e a l t h Wa i t i n g L
i s t t a r g e t s )
M e a s u r e s w h i c h a r e e x p e n s i v e t o c o l l e c t
o r n o t f o c u s e d o n p r i o r i t y a r e a s
To o m a n y m e a s u r e s o b s c u r i n g r e l e v a n t a n
d i m p o r t a n t i n f o r m a t i o n
Figure 2.5
3
14 15
3 Implementation Roadmap
3.1 What are the goals and success criteria? . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2 How to get started – the key initial activities . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3 Who needs to be involved and what are their roles and
responsibilities? . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
This chapter describes an “Implementation Roadmap” for
activating an effective IT Governance programme to deliver the
above benefits, and is based on the practical implementation
experiences gained by the IMPACT IT Governance SIG

members.
The roadmap begins with establishing clear goals and objectives
in order to align effort with the real needs of the enterprise,
to manage expectations, and to ensure continual focus. The
roadmap then consists of activities to get started, followed by
the key implementation tasks with suggested roles and
responsibilities. IT Governance is an ongoing task and therefore
this
roadmap is only the initial phase of what needs to become an
iterative sustainable approach.
3.1 What are the goals and success criteria?
Implementing IT Governance for many organisations will mean
major changes. It is important therefore to not only have high-
level sponsorship but also the active involvement of key
stakeholders. The roadmap is an iterative lifecycle that begins
with
an initial phase to define overall goals and to gain the support
and commitment of top management which then leads to the
ongoing effective governance of IT activities.
A generic set of initial objectives has been identified by the SIG
and is shown in Figure 3.1. Figure 3.1.1 suggests some
success criteria for this initial phase of IT Governance.
Typical objectives of the initial implementation phase “Agreed”
√
Define the meaning of governance in your organisation and
where/if IT Governance fits
Identify any organisational/environmental/cultural constraints
and enablers
Achieve a broad understanding of IT Governance issues and

benefits across all stakeholders
Agree, publish and gain acceptance of an initial IT Governance
framework, tools and processes
Completion of an initial gap analysis against best practice – to
demonstrate where IT Governance is already in place
and to highlight areas of focus for the roadmap
Creation of a Project Initiation Document (PID) and/or Terms of
Reference (ToR) that has the support of stakeholders
Creation of a Project Plan with definition and prioritisation of
the initial ITG project deliverables
Identification and commitment of the resources required to
deliver this initial project
Identification and sign-off of Key Performance Indicators and
Critical Success Factors for this project
Documented estimated timescales and resource (£s and FTE)
implications as well as expected ROI
Alignment of the ITG Initiative with business
objectives/strategy
Figure 3.1
14 15
3.2 How to get started – the key initial activities

Having set the goals, and gained support, activation consists of
two steps – planning, based on analysis of the current
environment, followed by implementation itself.
Planning
These are recommended implementation planning activities
together with some critical success factors:
Activities CSFs
• Identify champions
- Stakeholders (including partners), Input providers, IT
strategy committee
(council) members
• Establish IT strategy committee (council)
• Identify IT “hotspots” in the organisation, and where
governance could enable
‘hotspot’ resolution:
- Strategy? Delivery? IT Cost? Architecture?
- Where current approaches have not worked or caused serious
failures
• Identify skill set and capabilities needed from people involved
• Identify existing good practice (‘pseudo governance’) or
successes that could be
built on or shared
• Identify cost/benefit arguments – why do we need to do
anything?
• Identify inconsistencies in process/practice
• Identify opportunities for “rest of business” to get involved in
IT
• Explore opportunity to adopt industry best practice model, or
standards
framework

• Utilise external influences
• Create a measurement approach for an area or activity to
expose actual evidence
of problems
• Do some gap analysis against industry best practice
√ Authoritative and articulate
champions
√ Available skills and
capabilities
√ Well prepared business
cases approved by
stakeholders
√ Real opportunities for the
business to see the benefit of
participating
√ Practical and useful
governance approaches
√ Effective and useful
measures
√ Expose the truth /whole
picture, warts and all, about
project success /failure,
showing how governance can
be helpful
Implementation Roadmap3
Success criteria for the initial implementation phase “Done” √

Key stakeholders identified, engaged and actively involved
Key stakeholders contributing towards and able to explain and
support the business case for ITG
Stakeholders have an understanding of the expectations of the
IT Governance initiative
Some initial ‘quick wins’ have been identified and implemented
– to make governance “real”
Acceptance of the published IT Governance framework by those
responsible for implementation
An effective communication plan – who to, what, when etc. to
overcome any barriers and to motivate change
Current key IT projects mapped against ITG plan, to look for
easy fit/implications
Changes are sustainable and institutionalised, i.e. they become
Business as Usual practices
Figure 3.1.1
16 17
Implementation
These are the recommended activities to start up the
implementation roadmap, together with some critical success
factors:

Activities CSFs
• Create a sound project structure
- Define scope (what is included/excluded) and deliverables
- Agree success criteria/quality criteria
- Set realistic timeframes
- Allocate suitable resources and roles
- Identify risks and a risk mitigation strategy
• Gain approval from Senior Management (the higher the better
within the
Enterprise)
• Find reference site, or external examples to learn from
• Build communication plan to gain buy-in, and break down
barriers
- Who/what/how frequent/purpose
• Do a pilot activity (demonstrate the business case) to show
how it would work and
demonstrate potential benefits
• Follow a phased introduction, e.g.
- Focus on critical but easier to address areas
- Assess projects first
- Build up operational performance improvement progressively
based on
prioritising maximum return for lowest cost
- Consider one business area first, others later
- Aim to establish some successes while learning how to be
effective
√ Good project management
(set the governance tone)
√ Expectations set correctly
√ Approved business case
√ Manage IT like you manage

the rest of the business
√ Convincing reference sites
√ Successful pilot
√ Address quick wins first to
demonstrate results and
realise benefits before
attempting any major
changes
3.3 Who needs to be involved and what are their roles and
responsibilities?
All three generic groups of stakeholders, and their interests,
should be involved in an IT Governance initiative. A key
characteristic of any successful IT Governance initiative is the
establishment of an enterprise-wide approach that clearly sets
out roles and responsibilities, emphasising that everyone has a
part to play in enabling successful IT outcomes.
Figure 3.3: This timeline is generic and intended only to be an
example – it is based on the SIG’s experience.
Thanks to Legal and General for the concept.
16 17
It may also be helpful to include an external, or internal,
facilitator to provide an objective and neutral position.
The suggested generic roles and responsibilities of the three
main groups are shown in Figure 3.3.1.

Implementation Roadmap3
Investors Providers Controllers
Management board (authority to
make things happen)
• Give direction backed up with adequate
support and sponsorship
• Balance requirements with available
resources, making available additional
resources if required
• Insist on and seek measurable benefit
realisation
• Coordinate overseas/satellite parts of the
enterprise to ensure their interests and
constraints have been considered
• Create organisation and structure
to ensure board involvement in the
governance process – by forming
committees, establishing reporting
processes
• Monitor performance, monitor risks,
correct deviations
Business and IT senior managers,
business partners and project
sponsors
• Implement organisation and necessary
infrastructure

• Take ownership of requirements
• Champion and collaborate in IT
governance activities
• Ensure business strategy and objectives
are set and communicated and aligned
with IT
• Assess business risks and impacts
• Establish reporting processes meaningful
to stakeholders
• Communicate any business concerns in
a balanced and reasoned way
• Provide project champions, creating the
seeds of change
User representatives
• Take responsibility for Quality Assurance
programme (design and output)
• Regularly check actual results against
original (or changed) goals
• Provide service feedback to providers
IT management (internal and
external), with support from
business management
• Take ownership and set direction of IT
Governance activities

• Build and achieve a pilot business case
IT management
• Set IT objectives
• Define IT governance and control
framework
• Identify critical IT processes
• Assess risks, identify concerns
• Assess IT capability, identify gaps
• Initiate a continuous improvement
programme
• Develop business cases for
improvements
• Design and implement solutions
• Commit skilled resources
• Establish performance measurement
system
• Report to senior management
• Respond to QA feedback from customers
Suppliers/business partners
• Integrate any own existing or planned
governance practices with customer’s
• Support and contribute to customer’s
governance approach
• Agree service definitions, incentives,
measures and contracts/agreements

Training and Development
• Ensure adequate education and
communication
HR function
• Incorporate governance principles into
induction and performance measurement
process
Core team
• Define plan and deliverables
• Organise team and roles (architects,
senior responsible officer, facilitator,
project manager, process owners)
• Undertake core tasks
• Report progress to plan
Internal and External Audit
• Scope audits in coordination with
governance strategy
• Provide assurance on the control over IT
• Provide assurance on the control over
the IT performance management system
Risk Management
• Ensure that new risks are timely
identified, provide advice
Compliance officers

• Ensure that IT complies with policy, laws
and regulations
Finance
• Advise on and monitor IT costs and
benefits
• Provide support for management
information reporting
• Incorporate governance requirements
into purchasing/contract process
Figure 3.3.1
18 19
4 Communication Strategy & Culture
4.1 Who do we need to influence? . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
4.2 What are the key messages? . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Communication best practices . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
4.4 Developing an influencing strategy . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
4.5 Change roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
IT Governance and risk management is about improving the

management and control of IT activities and enabling top
management to exercise proper oversight. To achieve this,
better processes, controls, best practices and management
techniques are required. However all of these improvements
will only have a chance of succeeding in a sustainable way if
the
culture of the organisation is changed to drive and support the
desired new management approach.
Effective communications are a key enabler of these changes,
just as poor communications can create a legacy of
misunderstanding, lack of trust, and technical mystique and
hype in many organisations. As we said earlier, if it is difficult
for
those literate in technology and relatively close to the IT
function, then it is even worse for the end customer who finds
technical
jargon a smokescreen and lack of information relevant to his
business a major headache. Communication and cultural
behaviour, based on appropriate influencing strategies are
therefore key ingredients of any IT Governance improvement
programme. In order to best influence stakeholders, and
communicate the major objectives and benefits of IT
Governance
throughout the organisation, the right language must be used.
Given the significance of IT both in terms of investment and
potential impact on the business – the risks of IT and of failing
to exploit IT for strategic advantage must be stressed in
any communication about IT Governance. Wake-up calls are
sometimes required at the highest levels. Stakeholders must
understand and feel responsible for safeguarding against IT
risks.
Effective communications will ensure that “everyone is on the
same page” – that key issues have been grasped, objectives
have been positively accepted by management and staff, and

everyone understands their role. Every organisation will have
its
own existing culture and choice of IT Governance approach that
it wishes to adopt. The roadmap to follow for cultural change
and effective communication will therefore be unique to each
organisation, however there may be common elements.
4.1 Who do we need to influence?
A fundamental element of IT Governance is change. When
considering who needs to be influenced for successful IT
Governance, it is important to remember that different messages
are needed for different stakeholders. Whatever the topic is
about, the language used must be understandable, relevant to the
intended audience, and motivate positive attitudes towards
change.
Identifying and gaining the support of key influencers of
success and failure help enable successful communications
strategies. It is also vital to recognise the main stakeholders
impacted by the change, identify why we want to influence a
particular stakeholder, and identify any resistance that needs to
be overcome. Positive attitudes need to be promoted and
used to influence others.
All three generic groups of stakeholders, and their interests,
should be involved in an IT Governance initiative. It is critical
to influence these groups positively so that they understand the
objectives and benefits of IT Governance and are able to
communicate consistently to each other and within their groups
(Figure 4.1).
18 19

4.2 What are the key messages?
In order to best influence stakeholders, and communicate the
major objectives and benefits of IT Governance, the right
language must be used. An inability to communicate effectively
has been one of the major causes of IT failures, with too much
technical jargon, lack of business understanding and poor
appreciation of the other party’s requirements and issues.
Ideally,
a common language is required, and a balance has to be found
between the business trying to understand IT and IT trying to
understand the business. Communications will improve if the
business views the technology provider not as a simple enabler
but as a valued business partner and if IT presents benefits in
the language that the business understands. The following are
examples of some of the key messages that need to be
communicated, based on three primary IT Governance
objectives and
the related benefits that can be realised (Figure 4.2).
Communication Strategy & Culture4
Who needs to be influenced?
Investors Providers Controllers
• The Board
• IT Council/Management Team
• Senior business unit managers e.g. key
customers of IT services
• Business Partners
• External investors/shareholders – as part
of corporate governance
• Project and change managers (IT and
Business)

• Programme managers
• Business managers and users
• Technical delivery and support teams
• Key players e.g. business sponsors,
project champions
• Relationship managers and internal
communications teams
• Suppliers (especially outsourced service
providers)
• Contract and procurement management
• Peripheral players/influencers/policy
owners e.g. HR, Facilities Management,
Legal
• Internal audit and external audit (due
diligence)
• External regulators
• Corporate governance coordinator
• Risk managers
• Compliance – regulatory and internal
• Finance/Project Managers/IT and
business managers – reviewers of
benefits/ROI
• Post investment appraisal/post project
review teams
Key Messages
• Benefits of governance

• Why we need to do it
• Impact on the business strategy
• Commitment to support action plans
• Benefits of governance
• Why we need to change
• Your role and responsibility
• How you need to change
• Need for independent assessment and
assurance
• Relate to real business risks and impacts
• Work positively with management to
address control needs
Figure 4.1
Ability to address these Objectives will realise these Benefits
IT and Business strategic and operational alignment
• IT and business working towards the same corporate goals
• Architecture and other technology approaches seen as relevant
and value adding to the business
RoI/Stakeholder Value, Transparency and Accountability
+ Shareholder Value
+ Leveraging investments for greatest return
+ Better use of IT capabilities
+ Cost effective IT solutions
Effective Relationship Management (internal and
external)
• Mutual understanding of goals
• Shared language and terminology

• Working in partnership – equal investment and responsibility
• Clear accountabilities
Opportunities and Partnerships
+ Increased synergies
+ Improved speed to market
+ Improved efficiencies, particularly with third parties
+ Agility to respond to change
Management Control/Quality Management
• Standardised processes
• Consistent approaches
• Comparison/adoption of external best practices (e.g. ISO,
CMMi,
CobiT, ITIL)
• Professional IT services
• Management of risks
Performance Improvement
+ Risk mitigation
+ Continuous efficiency and quality improvements
+ Increased assurance that controls are working
+ Transparency and confidence about measures
Figure 4.2
20 21
4.3 Communication best practices
The experiences of the IT Governance SIG have shown that it is
best practice to emphasise the importance of controlling IT

related risks when communicating the need for IT Governance.
In particular, make sure stakeholders understand and feel
responsible for safeguarding against risks that would not exist if
they had put in place effective IT Governance controls:
a) The “downside” business risks associated with the use and
function of IT, i.e. financial losses, damage to reputation,
loss of service etc.
b) The “upside” business risks of not exploiting IT effectively,
i.e. loss of competitive advantage, inefficiencies, failure to
respond to changing markets etc.
Recommended approaches
If IT risks are not communicated effectively, and instead are
surrounded by hype and complexity, then stakeholders will not
appreciate their real impact, take the issues seriously, or be
motivated to insist on better controls. The following approaches
are recommended to ensure risks have been properly
appreciated:
E m p h a s i s e t h e b u s i n e s s i m p a c t o f r i s k s a
s s o c i a t e d w i t h m i s a l i g n e d I T s t r a t e g i e s ,
m i s u s e o f t e c h n o l o g y, b a d l y m a n a g e d o p e
r a t i o n s a n d i n e f f e c t i v e p r o j e c t
m a n a g e m e n t . S h o w h o w t h e s e r i s k s c a n b e
m i t i g a t e d b y e f f e c t i v e c o n t r o l s .
- U s e c a s e s t u d i e s t h a t h a v e i m p a c t e d t h
e b u s i n e s s o r o t h e r b u s i n e s s e s ( e . g .
v i r u s a t t a c k s , c r i t i c a l s e r v i c e o u t a g e s , p
r o j e c t s w i t h “ u n e x p e c t e d o u t c o m e s ” )
t o i l l u s t r a t e h o w i s s u e s m i g h t a r i s e .
I d e n t i f y r e l e v a n t e x a m p l e s o f g o v e r n a n c
e p r o v i d i n g b u s i n e s s b e n e f i t s b e y o n d t h e

b a s i c r e q u i r e m e n t o f e v i d e n c i n g c o n t r o l .
- U s e c a s e s t u d i e s t o i l l u s t r a t e h o w e f f e
c t i v e g o v e r n a n c e h a s i d e n t i f i e d r i s k
t o t h e b u s i n e s s , i t s o b j e c t i v e s a n d s t r a t e
g y, a n d b r o k e r e d a n a l t e r n a t i v e
s o l u t i o n .
- U s e c a s e s t u d i e s t o i l l u s t r a t e b u s i n e s s
b e n e f i t s a s a d i r e c t r e s u l t o f e f f e c t i v e
g o v e r n a n c e , e . g . r e d u c e d c o s t s , i m p r o v e
d q u a l i t y, p r o d u c t i v i t y, r e p u t a t i o n a n d
m a r k e t i n g a d v a n t a g e s .
S c e n a r i o m o d e l l i n g w i t h r i s k a s s e s s m e n t
a n d m i t i g a t i o n :
- C o n s i d e r k n o w n a n d n e w r i s k s a c r o s s b
o t h b u s i n e s s a n d I T ( e . g . e x t e r n a l a u d i t
r e q u i r e m e n t s )
- H o w g o v e r n a n c e c a n h e l p m i t i g a t e t h e
r i s k
- C a l c u l a t e a r i s k f a c t o r = l i k e l i h o o d x i
m p a c t
- C o n s i d e r o p t i o n s – a c c e p t , m i t i g a t e o r
a s s i g n
U s i n g c o m m o n b u s i n e s s l a n g u a g e :
- Te c h n o l o g i c a l r i s k i n f i n a n c i a l / e c o n o
m i c / b u s i n e s s t e r m s
- L e g a l / r e g u l a t o r y, c o n t r a c t u a l i m p l i c a
t i o n s
Critical Success Factors
I n v o l v e a l l r e l e v a n t s t a k e h o l d e r s i n a f a

c i l i t a t e d w o r k s h o p e n v i r o n m e n t
G e t c l e a r o w n e r s h i p a n d f u n d i n g c o m m i t
m e n t f o r r i s k m i t i g a t i n g a c t i o n s
M o n i t o r / t r a c k a l l a c t i o n s
4.4 Developing an influencing strategy
Critical to the success of any IT Governance initiative is an
effective communications plan. The communications plan
should
be based on a well-defined influencing strategy. Behaviours will
need to be changed and care should therefore be taken
to ensure that participants will be motivated and see the benefits
of the new approaches, as well as understanding the
consequences of accepting responsibility. If this is not
positively communicated, then IT Governance will not be
perceived as
part of the corporate mission with Board level support.
Management will resist it as a barrier to getting the job done, a
deviation
from current priorities, or another management fad.
The strategy should identify opportunities for the active
involvement of stakeholders in developing the governance
approach,
planning and implementing IT management changes, and ideally
building specific change objectives/targets into personal
performance plans. The stakeholders are likely themselves to be
the targets of change and should be involved in discussing/
evolving responses to the change via collaborative workshops,
focus groups etc.
20 21

The influencing strategies need to be designed to work in
specific situations with the individual influence targets
identified. The
following table shows four typical influencing styles, examples
of the communications involved and the associated leadership
styles. It is important to select the most appropriate style taking
into account who needs to be influenced and on what topic.
Focus on Roles and Responsibilities
I d e n t i f y a n o v e r a l l s p o n s o r a n d s t e e r i n g
g r o u p w i t h s p e c i f i c t a s k s a n d r e s p o n s i b i
l i t i e s
f o r l e a d i n g t h e c h a n g e
E n s u r e t h e r e i s a c o m p l e t e s t r u c t u r e o f c
a s c a d e d s p o n s o r s h i p d o w n t o t e a m / l i n e
m a n a g e r l e v e l
Focus on individual situations
I d e n t i f y c h a m p i o n s ( t h o s e h i g h o n i n t e r e
s t a n d / o r i n f l u e n c e )
U s e s u c c e s s e s a s b e n c h m a r k s
D i s s e m i n a t e a c r o s s t e a m s a n d s u p p o r t f o
r m a t i o n o f n e w t e a m s
Figure 4.4.1 shows different change approaches that can be
used. For IT Governance initiatives experience shows that
the best approach is incremental change evolving and adapting
of current practices to a new collaborative IT management
approach.
Communication Strategy & Culture4
Influencing style examples

Asserting Persuading Bridging Attracting
• Stating expectations of
improved IT Governance
and consequences of not
adopting the new control
model
• Evaluating current capability,
risk management, delivery
quality etc. and exposing
unacceptable performance
• Creating incentives by
setting clear IT Governance
objectives, based on
business priorities, backed
up by the personal reward
scheme
• Proposing new management
approaches, best practices,
standards for IT activities,
based on development
workshops
• Reasoning that changes are
needed, by educating top
management about the key
IT issues and the benefits
IT Governance can provide,
e.g. more ownership in the
business of IT projects
• Involving the business in IT

decision making, by breaking
down technical barriers
and encouraging shared
responsibility for IT outcomes
• Listening to user feedback
about IT services and
encouraging suggestions via
satisfaction surveys
• Disclosing IT problems and
incidents seeking workable
solutions instead of covering
them up
• Finding Common Ground by
developing corporate mission
statements and policies
about IT Governance with
support from the Board
• Visioning by IT and the
business developing shared
strategies and action plans,
backed up by measurable
and accountable objectives
and targets
Push Pull
Figure 4.4
Figure 4.4.1

22 23
4.5 Change roadmap
Every organisation will have its own existing culture and choice
of IT Governance paradigm that it wishes to adopt. The
roadmap to follow for cultural change and effective
communication will therefore be unique to your specific
situation.
The following techniques (Exploring Strategic, Change
Veronica Hope-Hailey, Julia Balogun, Gerry Johnson, Kevan
Scholes, Cranfield University) can help guide the best path to
follow, and can be used to assess how your organisational
culture and management style currently deals with the
governance of its IT activities and what cultural style it desires.
To
do this you must:
A n a l y s e t h e e x i s t i n g s t a t e
D e f i n e t h e d e s i r e d s t a t e
Cultural style and paradigms are formed from several
characterictics which can generally be illustrated as shown in
Figure
4.5.
Figure 4.5.1 illustrates some of the typical current and desired
IT Governance behaviours found in many organisations
today.
Figure 4.5
Characteristic Current Desired
Myths and Stories Poor business and IT alignment:

Project failures; budget overruns; poor
service, failure to meet business needs.
Effective business and IT alignment:
Demonstrable RoI, project success stories,
user satisfaction, business driving IT.
Symbols Mystique and technical jargon, lack of
business terms.
Common language based on customer
needs. Business literate in IT issues and
opportunities.
Power Structures Them and us attitudes. Collaboration.
Organisational Structures Divisive. IT seen as overhead
function. Partnerships. IT seen as business enabler.
Control System Based on departmental units and who knows
the most.
Based on defined processes, standards and
best practices owned by the organisation.
Routines and Rituals Hidden agendas, measures in provider’s
terms and a general lack of transparency
leaving top management in the dark.
Joint forums for monitoring progress,
measures in customer’s terms, transparent
reporting to top management.
Figure 4.5.1

22 23
5 Capability Maturity Assessment
5.1 Why IT capability is important . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.2 How to measure IT capability . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.3 Setting maturity targets and considering improvements . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.4 Roadmap for sustaining the approach . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.5 Self-assessment tools . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Monitoring and assessing the adequacy of IT Resources (people,
applications, technology, facilities, data) to ensure that they are
capable of supporting the current and proposed IT strategy is a
key aspect of IT Governance. In many
organisations board level management have a very unclear view
of their IT capability, and find it very difficult to understand
the technical and organisational IT environment upon which
they increasingly depend. Often inadequacies only manifest
themselves when projects fail, costs spiral, operational systems
crash, or service providers fail to deliver the value promised.
To exercise sufficient governance and oversight, senior
management should insist on objective and regular assessments
of
their internal and externally provided IT services to ensure any
inadequate capabilities are exposed before serious problems
occur, and then take the necessary action to rectify weaknesses.
In recent years, surveys and assessments carried out around
the world have shown that in general IT capabilities have not
kept pace with increasing IT complexities and the growing
demands for reliable, secure and flexible services. Cost control

and reducing inefficiencies are also important reasons for
reviewing technical and organisational capability.
Improving the maturity of IT capability both reduces risks and
increases efficiency – cost saving is
often a justification.
Capability Maturity Modelling (CMM) techniques (CMM was
created by the Software Engineering Institute with Carnegie
Mellon) are increasingly being adopted by many organisations
for assessing IT capability. This technique focuses on the
IT management processes that control IT resources, and
assessments usually reveal significant weaknesses and an IT
capability disproportionate to the high dependency
organisations have on their IT service providers. Using the
CMM scale it is
rare to find even a defined (level 3) process in many
organisations.
Management should insist on objective and transparent
assessments, and carry out these analyses as part of any due
diligence review, or request third party certifications when
considering outsourcing or during mergers and acquisitions.
Agreement then must be reached regarding where and how to
address inadequacies, by either investing in the internal
infrastructure or seeking externally provided outsourced
resources, or accepting the risks.
5.1 Why IT capability is important
A key to successful IT performance is the optimal investment,
use and allocation of IT resources (people, applications,
technology, facilities, data) in servicing the needs of the
enterprise. Most enterprises fail to maximise the efficiency of
their IT
assets and optimise the costs relating to these assets. In
addition, the biggest challenge in recent years has been to know

where and how to outsource and then to know how to manage
the outsourced services in a way that delivers the values
promised at an acceptable price.
Boards need to address appropriate investments in
infrastructure and capabilities by ensuring that:
T h e r e s p o n s i b i l i t i e s w i t h r e s p e c t t o I T s
y s t e m a n d s e r v i c e s p r o c u r e m e n t a r e
u n d e r s t o o d a n d a p p l i e d .
A p p r o p r i a t e m e t h o d s a n d a d e q u a t e s k i l l s
e x i s t t o m a n a g e a n d s u p p o r t I T p r o j e c t s
a n d s y s t e m s .
I m p r o v e d w o r k f o r c e p l a n n i n g a n d i n v e s t
m e n t t o e n s u r e r e c r u i t m e n t a n d m o r e
i m p o r t a n t l y, r e t e n t i o n , o f s k i l l e d I T s t a f
f .
I T e d u c a t i o n , t r a i n i n g a n d d e v e l o p m e n t
n e e d s a r e f u l l y i d e n t i f i e d a n d a d d r e s s e d
f o r
a l l s t a f f .
A p p r o p r i a t e f a c i l i t i e s a r e p r o v i d e d a n d
t i m e i s a v a i l a b l e f o r s t a f f t o d e v e l o p t h e
s k i l l s t h e y n e e d .
Capability Maturity Assessment5
24 25

Boards needs to ensure that IT resources are used and managed
wisely by ensuring that:
A p p r o p r i a t e m e t h o d s a n d a d e q u a t e s k i l l s
e x i s t i n t h e o r g a n i s a t i o n t o m a n a g e I T
p r o j e c t s .
T h e b e n e f i t s a c c r u i n g f r o m a n y s e r v i c e p
r o c u r e m e n t a r e r e a l a n d a c h i e v a b l e .
IT assets are complex to manage and continually change due to
the nature of technology, and changing business
requirements. Effective management of the lifecycle of
hardware, software licences, service contracts, and permanent
and
contracted human resources is a critical success factor in not
only optimising the IT cost base, but also for managing
changes,
minimising service incidents, and assuring a reliable quality of
service.
Of all the IT assets, human resources represent the biggest part
of the cost base and on a unit basis the one most likely
to increase. Identifying and anticipating the required core
competencies in the workforce is essential. When these are
understood, an effective recruitment, retention and training
programme is necessary to ensure that the organisation has the
skills to utilise IT effectively to achieve the stated objectives.”8
5.2 How to measure IT capability
To ensure IT resources are managed effectively, IT capability
should be assessed on a regular basis and whenever
resources are critical to strategic IT decisions. The capability
assessment should be:

B a s e d o n a l i g n m e n t o f I T g o a l s w i t h b u s i
n e s s g o a l s
Ta r g e t e d a t t h e I T p r o c e s s e s c r i t i c a l t o b
u s i n e s s s u c c e s s b y,
- A s s e s s i n g t h e c u r r e n t c a p a b i l i t y o f t h e
s e I T p r o c e s s e s
- D e t e r m i n i n g t h e r e q u i r e d c a p a b i l i t y
- A n a l y s i n g a n y g a p s i n c a p a b i l i t y
- P r o v i d i n g t r a n s p a r e n t v i s i b i l i t y o f t h e
c a p a b i l i t y p o s i t i o n
- D e f i n i n g a n d j u s t i f y i n g n e c e s s a r y i m p r
o v e m e n t p r o j e c t s o r
- R e - a d j u s t i n g t h e I T s t r a t e g y
A d j u s t i n g g o a l s
I m p r o v i n g c a p a b i l i t y
O u t s o u r c i n g w h e n c o s t - e f f e c t i v e
The measurement of IT capability should be an objective
assessment oriented towards business requirements. This will
ensure that the current “as-is” and required “to-be” capabilities
are realistic and measurable enabling any gaps to be identified
and a plan to be drawn up to rectify any shortcomings.
The Capability Maturity Model (CMM) approach first developed
by the Software Engineering Institute for measuring software
delivery capability is increasingly being adopted as the basis for
assessing overall IT capability. This model provides a
standard scale for assessing the maturity of any IT process on a
five-point scale (figure 5.2).
The following principles are recommended when carrying out
an assessment:
S e t S c o p e
S e l e c t a r e f e r e n c e m o d e l b a s e d o n s t a n d a

r d s a n d b e s t p r a c t i c e s m o s t s u i t a b l e
f o r y o u r b u s i n e s s , e . g . C o b i T, I T I L , S E I -
C C M , S i x S i g m a , I S O 9 0 0 0 / 9 0 0 1 , P M B O K
– p e r h a p s c o n s i d e r i n g w e i g h t i n g m e a s u r e
s
U s e a n a c c e p t a b l e m e a s u r e m e n t m e t h o d o
l o g y a g r e e d w i t h t h e s t a k e h o l d e r s w h i c h
i s d e f i n e d a n d t r a n s p a r e n t
S e t a b a s e l i n e i n t h e c o n t e x t o f 1 a n d 2 a b
o v e a n d p r e s e n t t h e c u r r e n t s t a t e
a s s e s s m e n t u s i n g a s c a l e o r r a t i n g s y s t e m
S e t r e a s o n a b l e o b j e c t i v e s f o r t h e t a r g e t
e d l e v e l o f c a p a b i l i t y
D e f i n e m e a s u r e s w h i c h r e l a t e b o t h t o “ t h
e j o u r n e y ” a s w e l l a s t h e “ e n d g o a l ” ( e . g .
t h e K P I s a n d K G I s r e c o m m e n d e d b y C o b i T
)
E n s u r e s i m p l i c i t y a n d f l e x i b i l i t y
L i m i t t h e n u m b e r o f m e a s u r e s , m i n i m i s e
m e a s u r e m e n t o v e r h e a d , a n d a v o i d
i n f o r m a t i o n o v e r l o a d
Consider the following critical success factors:
A p p r o p r i a t e l e v e l o f o w n e r s h i p
Av o i d c o m p l e x i t y a n d b e f l e x i b l e

24 25
E m b e d m e a s u r e s i n t o b u s i n e s s a s u s u a l p
r o c e s s e s
E n s u r e s t a f f h a v e a d e q u a t e s k i l l s , t r a i n i
n g a n d t o o l s
C r e a t e a r e p e a t a b l e p r o c e s s a n d a g r e e f r
e q u e n c y o f r e p o r t i n g
W h e r e p o s s i b l e a u t o m a t e m e a s u r e m e n t a
n d r e p o r t i n g
A s s e s s a c h i e v e m e n t a g a i n s t t a r g e t s a l o n
g s i d e o t h e r b u s i n e s s a s u s u a l t a r g e t s
5.3 Setting maturity targets and considering improvements
The real value of a capability assessment comes from the
identification and implementation of cost effective
improvements.
A realistic and practical approach is required to ensure that the
proposed improvements are based on business priorities, will
be supported and funded by management, and will be
successfully implemented.
The following approach is recommended:
1 . U n d e r s t a n d t h e e n v i r o n m e n t
2 . E s t a b l i s h c a p a b i l i t y i m p r o v e m e n t f r a
m e w o r k
3 . S e t r e a l i s t i c t a r g e t s a n d r e s p o n d t o e n
v i r o n m e n t c h a n g e s
4 . I d e n t i f y g a p s – p r i o r i t i s e i m p r o v e m e n
t s
5 . P r o p o s e a c h i e v a b l e s o l u t i o n s
5.4 Roadmap for sustaining the approach
Having initiated a capability assessment approach, and perhaps

performed a pilot project, a capability assessment process
needs to be implemented as part of normal business procedures.
The following practices are recommended to help ensure the
process is sustainable
A r t i c u l a t e c u r r e n t c a p a b i l i t i e s i n r e l a t i
o n t o a n a d o p t e d f r a m e w o r k
S e t c u r r e n t l e v e l s o f c a p a b i l i t y i n t h e c o
n t e x t o f e x t e r n a l c o m p a r i s o n s
Figure 5.2
26 27
S t a t e t h e e f f e c t o n t h e b u s i n e s s o f t h e c u
r r e n t I T c a p a b i l i t y s t a t e o f a f f a i r s . D e s c
r i b e
t h e r a m i f i c a t i o n s o f N O T i m p r o v i n g c a p a
b i l i t y e . g . a d d i t i o n a l c o s t s o r r i s k s ,
i n a b i l i t y t o r e a l i s e o p p o r t u n i t i e s , l a t e o
r n o n - d e l i v e r y o f t h e s t r a t e g i c d e v e l o p m
e n t
p r o g r a m m e , r e d u n d a n t e f f o r t
D e s c r i b e t h e b e n e f i t s o f i m p l e m e n t i n g i
m p r o v e m e n t s i n s p e c i f i c a r e a s
D e s c r i b e t h e p r o j e c t e d e f f e c t o n t h e b u s i
n e s s a f t e r d e l i v e r y o f e n h a n c e m e n t s

Initiating and sustaining capability enhancements
A g r e e s t e e r i n g a n d r e v i e w m e c h a n i s m , s p
o n s o r s h i p e t c .
A g r e e o n p r i o r i t i s e d p r o g r a m m e o f i m p r o
v e m e n t s
L o o k f o r c o n t i n u o u s i m p r o v e m e n t o p p o r t
u n i t i e s w h e r e i m p r o v e m e n t i s r e l e v a n t o r
n e c e s s a r y
F o l l o w t h e 8 0 : 2 0 r u l e , i . e . d o n ’ t i m p l e m
e n t m o r e t h a n i s n e c e s s a r y
E m b e d a l l i m p r o v e m e n t s a s “ b u s i n e s s a s
u s u a l ” , n o t a o n e - o f f i n i t i a t i v e
A l l i m p r o v e m e n t s s h o u l d b e a c h i e v a b l e ,
s u s t a i n a b l e , r e l e v a n t
M o t i v a t e e v e r y o n e i n v o l v e d b y p u b l i s h i
n g a n d c e l e b r a t i n g s u c c e s s e s
A g r e e k e y m e a s u r e s a r o u n d i m p l e m e n t a t i
o n o f i m p r o v e m e n t s a n d m e a s u r e s o f
r e s u l t a n t b u s i n e s s b e n e f i t – m a k e p a r t o f
a w i d e r I T b a l a n c e d s c o r e c a r d
A g r e e c o m m u n i c a t i o n t o t a r g e t s , s t a k e h
o l d e r s a n d s p o n s o r s a s w e l l a s t h e w i d e r
c o m m u n i t y w h e r e t h e r e i s l i k e l y t o b e a g
e n e r a l i n t e r e s t i n o u t c o m e s
P e r i o d i c a l l y r e v i e w t h e o b j e c t i v e s a n d r
e s e t g o a l s i f n e c e s s a r y, c h e c k i n g v a l i d i t
y o f
g o a l s a g a i n s t b u s i n e s s s t r a t e g y
5.5 Self-assessment tool
The simple self-assessment diagnostic in figure 5.5 can be used

to help show overall capability at a high level. It is based
on the four domains of CobiT, broken down into the 34 CobiT
sub-processes. The extent of the analysis depends on how
precise you wish to be. A management workshop can be used to
arrive at an approximate initial assessment without extensive
analysis.
26 27
IT Process/Maturity Im
p
o
rt
a
n
c
e
A
d
h
o
c
R

e
p
e
a
ta
b
le
D
e
fi
n
e
d
M
a
n
a
g
e
d
O
p
ti
m

is
e
d
Planning & Organisation
PO1 Define a Strategic Information Technology Plan H
PO2 Define the Information Architecture M
PO3 Determine the Technology Direction M
PO4 Define the IT Organisation and Relationships M
PO5 Manage the Investment in Information Technology M
PO6 Communicate Management Aims and Direction L
PO7 Manage Human Resources L
PO8 Ensure Compliance with External Requirements M
PO9 Assess Risks M
PO10 Manage Projects L
PO11 Manage Quality L
Acquisition & Implementation
AI1 Identify

Solution
s L
AI2 Acquire and Maintain Application Software M
AI3 Acquire and Maintain Technology Architecture M
AI4 Develop and Maintain Information Technology Procedures
M
AI5 Install and Accredit Systems L
AI6 Manage Changes M
Delivery & Support
DS1 Define Service Levels M
DS2 Manage Third-Party Services H
DS3 Manage Performance and Capacity M

DS4 Ensure Continuous Service L
DS5 Ensure Systems Security M
DS6 Identify and Allocate Costs L
DS7 Educate and Train Users L
DS8 Assist and Advise Information Technology Customers L
DS9 Manage the Configuration M
DS10 Manage Problems and Incidents H
DS11 Manage Data H
DS12 Manage Facilities L
DS13 Manage Operations M
Monitoring
M1 Monitor the Process M
M2 Assess Internal Control Adequacy M

M3 Obtain Independent Assurance M
M4 Provide for Independent Audit M
Figure 5.5
28 29
6 Risk Management
6.1 What are the risks? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6.2 What is the best approach for risk analysis and
management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29
6.3 How can standards and best practices be used – is
certification useful? . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.4 What are the roles of management, staff and auditors? . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
6.5 Who needs to be competent? . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Business ProjectProject Progress Evaluation Feedback Form .docx

Business ProjectProject Progress Evaluation Feedback Form .docx

Recommended

Recommended

More Related Content

Similar to Business ProjectProject Progress Evaluation Feedback Form .docx

Similar to Business ProjectProject Progress Evaluation Feedback Form .docx (20)

More from jasoninnes20

More from jasoninnes20 (20)

Recently uploaded

Recently uploaded (20)

Business ProjectProject Progress Evaluation Feedback Form .docx