The CIO’s job is a challenging one.  Leaders in this position face a number of pressures that are now a regular part of the job.  To name a few of these pressures, the information technology (IT) group is often expected to:

 

• Do more with less, but still meet business needs in a changing environment.
• Comply with evolving legislation and regulations.
• Keep up with continuing innovations in technology.
• Be an enabler and driver for business strategy.

 

The CIO’s job is made even more challenging with the heightened risks associated with the IT environment.  Recently, many companies have made the headlines with high-profile data breaches, identity theft, security exposures, and system outages.  The media coverage of these events has brought to our attention that companies who ignore IT risks and issues do it at their own peril. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The reality is that IT is no longer restricted to the backroom but rather operates as a key business player.  Most companies now recognize the significant impact IT has on business performance. This is partly due to the Sarbanes-Oxley (SOX) Act of 2002, which, among other things, has forced public companies to improve internal control over financial reporting and the supporting IT systems. Now that companies are becoming comfortable with SOX compliance, many are beginning to pay more attention to what IT can do to support business objectives beyond compliance initiatives.  This increased attention is in line with the objective of IT governance.

 

In order for the CIO and his/her IT organization to move forward in this challenging environment, IT governance is a must.  Strong governance helps define and implement IT strategies, business strategies, and set priorities. As with any initiative, it is important to build a strong foundation so that IT governance becomes an integral and ongoing part of the business.  The purpose of this publication is to provide readers with a framework for designing a successful IT governance program.  In a follow-up article, I will provide a roadmap for addressing risk through IT governance.

 

What is IT governance?

 

IT governance is a discipline within corporate governance that strives to align business strategy with IT services. This is accomplished by establishing management mechanisms that ensure IT services are designed to meet the needs of the business.  Businesses with strong IT governance processes often experience higher productivity, fewer errors, a greater ability to respond to business requests, and more projects coming in on time and on budget.

 

The IT Governance Institute (ITGI) was established in 1998 by the Information Systems Audit and Control Association (ISACA) to assist companies with designing, implementing and operating an IT governance environment. ITGI describes itself as “a research think tank that exists to be the leading reference on IT-enabled business systems governance for the global business community. ITGI aims to benefit enterprises by assisting enterprise leaders in their responsibility to make IT successful in supporting the enterprise's mission and goals. By conducting original research on IT governance and related topics, ITGI helps enterprise leaders understand and have the tools to ensure effective governance over IT within their enterprise.”

 

The ITGI, in its Board Briefing on IT Governance states, “IT governance is not an isolated discipline. It is an integral part of overall enterprise governance. The need to integrate IT governance with overall governance is similar to the need for IT to be an integral part of the enterprise rather than something practiced in remote corners or ivory towers.”

 

Research demonstrates that businesses and their IT organizations are more successful when they implement IT governance practices.  Listed below are key IT governance statistics from leading research organizations:  The IT Process Institute (ITPI) and Gartner, Inc.  You will find that these organizations communicate a consistent and positive message. 

 

 

 

 

 

 

 

 

 

 

 

• The ITPI reports in its IT Controls Performance Study (2006 and 2007) that the use of foundational controls has a significant effect on IT performance. Relative to medium and low performers, top performing companies on average:

–         Have 12%–37% lower rates of unplanned work.

–         Authorize and support 5–14X more IT changes, with 11-25% higher success rates.

–         Support 2.6–6.6X more applications.

–         Set aside 1.9–4.8X more hours per week for scheduled maintenance.

–         Have 20-50% fewer late IT projects.

–         Spend 35-58% less time to repair large IT system outages.

–         Process 29-55% fewer “emergency” change requests.

–         Have 6%-22% higher first fix rates for incidents.

–         Automatically detect 12-76% more potential security breaches.

–         Support 1.3-1.9X more servers per system administrator.

–         Have 39-52% fewer repeated audit deficiencies or findings.

–         Have 18-30% higher customer satisfaction.

• Gartner, Inc. reports that:

–         Not keeping track of distributed IT assets can increase cost by 7–10% a year.

–         Organizations implementing ITIL experience IT operational cost reduction of 25-35% a year.

–         Businesses typically spend 3-5% of revenues on IT yet seldom achieve competitive advantages.

–         While ongoing support costs are visible and burdening, the value of these investments remains difficult to measure.

–         Hundreds of billions of dollars have been spent on IT over the years and there is little to show for it.
 

How can frameworks help build strong IT governance practices?

 

For businesses realizing the importance of IT governance, the next questions often include:  “How do we get started?” and “Where do we begin?”  These questions lead us back to the concept of frameworks. 

 

 

 

 

 

 

 

 

 

 

 

A quality IT governance approach focuses on understanding business requirements and risks, implementing technology to support current and future business needs, and operating the technology so it continues to support the business.  To achieve this, an organization requires a foundation that supports the structure of the IT governance process.  This foundation is ideally constructed using a trusted framework. 

 

The chief value of most frameworks is that they provide a common language for discussing and solving problems using a holistic approach. This is important because IT needs to speak and understand the language of the business and vice versa. As the business environment changes, IT needs and demands also change. A sound framework will help IT and the business define and agree upon common objectives, set priorities, and mobilize IT resources to achieve those objectives.

 

Companies can leverage many frameworks and tools to select which practices and capabilities are relevant to their organizations, and take a risk-based approach to assessing and implementing IT governance practices.  Before settling on a framework, leadership should examine the different frameworks applicable to IT governance and the situations when they are typically used.  The following, are some of the most common frameworks used to create and assess an IT governance process.  To receive the most benefit, organizations should tailor any framework to the organization’s needs.  

 

CobiT

The CobiT Framework explains how IT processes deliver information the business needs to achieve its objectives. This delivery is controlled through 34 high-level control objectives, one for each IT process, contained in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring.

 

CobiT also identifies which of the seven information criteria (Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance, and Reliability), as well as which IT resources (People, Applications, Information and Infrastructure) are important for IT processes to fully support the business process.

 

Val IT

 

Val IT is a recent ISACA creation that is closely integrated with CobiT. The Val IT Framework document states, “Val IT extends and complements CobiT, which provides a comprehensive control framework for IT governance. Specifically, Val IT focuses on the investment decision (Are we doing the right things?) and the realization of benefits (Are we getting the benefits?), while CobiT focuses on the execution (Are we doing them the right way, and are we getting them done well?).” With Val IT, companies now have a conceptual framework for aligning IT projects with business objectives, as well as for monitoring progress and measuring results.

 

The major processes in Val IT are: Value Governance, Portfolio Management, and Investment Management.

 

Information Technology Infrastructure Library (ITIL)

 

ITIL is a customizable and integrated framework of leading practices that promotes quality delivery of IT services.  ITIL addresses the organizational structure and skill requirements for an IT organization by presenting a comprehensive set of management procedures with which an organization manages its IT operations.  ITIL comprises five core volumes addressing: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement.  

 

ISO 27001

 

ISO 27001 is an international information security management standard intended to help organizations of any size or type establish and maintain an information security management system. ISO defines a set of information security management requirements that can be used for certification purposes.  The standard defines its 'process approach' as "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management."

 

 

 

 

 

 

 

 

 

 

 

 

 

The Capability Maturity Model (CMM)

 

The CMM is a framework that describes an improvement path from an ad-hoc, immature process to a mature, disciplined process focused on continuous improvement. The CMM defines the state of a process using a common language that is based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model. The CMM consists of a continuum of five process maturity levels, enabling process owners to rate the state, or maturity, of a given process as Initial, Repeatable, Defined, Managed or Optimizing. It applies to any process within an organization and, when applied effectively, improves the ability of organizations to meet goals for cost, schedule, functionality and quality and is a useful tool when communicating with stakeholders. This model establishes a yardstick against which to determine and pursue improved performance.

 

What are top IT governance practices?

 

The ITGI states that the concept of IT governance “…is concerned about two things: IT’s delivery of value to the business and mitigation of IT risks. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise. Both need to be supported by adequate resources and measured to ensure that the results are obtained. This leads to the five main focus areas for IT governance, all driven by stakeholder value. Two of them are outcomes: value delivery and risk management. Three of them are drivers: strategic alignment, resource management (which overlays them all) and performance measurement.”

 

While setting the foundation of IT governance, it is important to address these five main areas of focus.  These five areas will assist organizations in developing a well-rounded perspective and top governance practices.

 

Strategic Alignment

 

Governance starts with strategic alignment, which focuses on ensuring there is a linkage between business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations. 

 

To achieve this aspect of governance, align IT with the business by:

 

• Understanding and supporting business objectives, performance goals, and requirements.
• Understanding how IT systems and activities support business requirements, processes, and priorities.
• Linking IT initiatives and services to key business imperatives—compliance, agility, revenue growth, cost optimization, and customer satisfaction.
• Involving business in managing key IT initiatives.
• Tracking, aligning, and prioritizing requests with business.
• Developing awareness, training, and use of existing IT capability (e.g. ERP functionality).
• Having business own the “budget” for key IT initiatives.
• Foster innovation by identifying and implementing solutions to support and enable operational and competitive advantage.

 

Risk Management

 

Risk management involves identifying and analyzing risks (both internal and external) relevant to achieving business objectives as well as objectives related to the preparation of reliable financial statements.  This requires risk awareness by senior corporate officers; a clear understanding of the enterprise’s appetite for risk; understanding of compliance requirements; transparency about the significant risks to the enterprise; and embedding risk management responsibilities into the organization. To achieve this aspect of governance:

• Ensure information system availability and business continuity, security, and integrity by updating and implementing policies, procedures, standards, redundancy, monitoring, training, and testing of continuity and security capabilities.
• Assess, address, and communicate risks to key stakeholders and executive management.
• Support compliance by integrating IT into the compliance process and leveraging IT to optimize compliance. This presents significant opportunities to reduce the cost of compliance and add business value. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Performance Management

 

Performance management links strategy with corporate objectives in ways that make the best use of a company's resources by coordinating the efforts of every member of the organization.  To achieve this aspect of IT governance:  

 

• Measure and report performance of services and projects, processes, assets, resources, and activities.
• Measure and fairly allocate costs using transparent cost allocation methods, understanding the costs of projects and IT services, and by implementing IT asset management practices.

 

 

Value Delivery

 

Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.  To achieve this aspect of IT governance:

 

• Measure and communicate value by managing IT projects as business projects.
• Implement a disciplined portfolio.
• Monitor program and project management practices.
• Solicit feedback from the business on projects and value realized.

 

Resource Management

 

Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure, and people. Key issues relate to the optimization of knowledge and infrastructure.  To achieve this aspect of IT governance: 

 

• Be flexible by implementing an agile IT infrastructure to support and enable business change, and consolidate and standardize IT assets and practices.
• Establish a sound IT management and reporting structure to support service delivery and service support, internal control requirements including segregation of duties, managing projects as well as liaising and interacting with the business.

 

Other Critical Success Factors for IT Governance

 

During the process of developing an IT governance environment, it is important to remember why this significant effort is being undertaken in the first place:  to establish management mechanisms that ensure IT services are designed to meet the needs of the business (including risk management).  Keeping this purpose top-of-mind will lead to the many benefits discussed throughout this publication. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In addition to frameworks and the five areas of focus previously discussed, what other items cannot be overlooked during this process?  Like any major initiative, the success of IT governance relies on the presence of leadership support, communication, execution, and people. 

 

• Senior management sponsorship and involvement – Most importantly, the focus on frameworks and the five areas of IT governance does not replace the need for leadership to own this process.  Leadership provides the necessary focus, direction, resources, roadblock removal, and support to ensure the intended benefits of IT governance are achieved.  The lack of senior management’s active involvement in IT governance makes it extremely difficult for any change to be introduced or maintained within the organization.  If senior management does not provide the required level of support for the initiative, how are management and its staff expected to provide the level of resources and time needed to enact the change?
• Communication and awareness – An open environment enables organization-wide change and the ability to anticipate and respond to resistance.  Training of management and staff on frameworks, terminology and proposed changes helps obtain buy-in and sustain support from key stakeholders.  By providing this training and regularly reinforcing it, senior management establishes a strong tone-at-the-top, which increases the likelihood of effective process execution.

 

• Focus on execution and results – When faced with decisions regarding IT governance, leadership should focus on the execution of the process.  Set the process up for success by setting achievable targets that focus on business priorities.  Leading companies are concerned with whether they are improving continuously and therefore institute a series of “monitoring” measures.   When modeling processes after leading companies, organizations should measure and monitor the implementation and benefits of IT governance against set criteria.  The desired results of this effort should be higher returns on investment and an IT function that plays an important role in achieving business objectives.  In the end, the true results and achievements should be adequately communicated to foster an environment of continuous improvement.
• Simplify and evolve the process by communicating the proposed changes in terms management and staff can understand – Success with change is often associated with keeping it simple.  Complex processes and practices make it difficult for business and IT stakeholders to adopt and understand proposed changes. Build on existing good practices and tools, where possible, to build acceptance and support for the change. When building an IT governance program, it is important to be process-focused (i.e., How will the process work?) and conscious of the user community (i.e., What will work best for the participants?).  Standardize practices but do not forget to monitor and respond to deviations from defined standards.  Ultimately, treat the IT improvement as a continuous process as opposed to a management short-lived fad.

 

In addition to these critical success factors, it is important to consider:  What is internal audit’s role in IT governance?  Internal audit should:

 

• Assist management with implementing sound IT governance practices.
• Review and provide feedback to management on IT risks in the context of the business in which the IT organization operates.
• Focus on the design and operating effectiveness of management’s practices to manage key IT risks. 

In the end, it is up to management to decide what practices to implement. It is up to internal audit to provide feedback.  IT governance is a learning process, and to be successful for the long-term, it must evolve over time.  As the company moves forward with building the ideal IT governance program, management and internal audit should not feel discouraged if adjustments need to be made.  It takes patience and time to successfully implement a best practice program.