Enterprise Governance of IT · BSC, Information Economics, SLA, COBIT, Val IT, ITIL, IT alignment /...
Transcript of Enterprise Governance of IT · BSC, Information Economics, SLA, COBIT, Val IT, ITIL, IT alignment /...
Enterprise Governance of IT
Prof. dr. Wim Van GrembergenDr. Steven De Haes
University of Antwerp (UA)University of Antwerp Management School (UAMS)
IT Alignment and Governance Research Institute (ITAG)
www.uams.be/itag
2
Agenda
• Enterprise Governance of IT
• Enterprise Governance of IT practices
• Enterprise Governance of IT as enabler for business / IT alignment
• Enterprise Governance of IT as enabler for business value
3
Setting the scene
“IT doesn’t matter!”(Nicolas Carr, HBR, 2003)
4
Setting the scene
"Firms with superior IT governance have at least 20% higher profits...than
firms with poor governance given the same strategic
objectives."( Louis Boyle, VP Gartner EXP, 2006)
5
IT governance definitions
IT governance is the organizational capacity exercised by the board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensuring the fusion of business and IT. (Van Grembergen, 2002)
IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.
(IT Governance Institute, 2001)
6
ITG
OV
ER
NA
NC
E
strategic level
management level
operational level
Board of directors
Executive management (CEO,
CIO, …)
IT and business management
Three layers
7
Moving to Enterprise Governance of IT
Enterprise governance of IT (EGIT) is an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organisation that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT-enabled business investments.
(Van Grembergen & De Haes, 2009)
8
ISO 38.500 principles for Enterprise Governance of IT
• Principle 1: ResponsibilityIndividuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT. Those with responsibility for actions also have the authority to perform those actions.
• Principle 2: StrategyThe organization’s business strategy takes into account the current and future capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization’s business strategy.
• Principle 3: AcquisitionIT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making. There is appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term.
• Principle 4: PerformanceIT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.
• Principle 5: ConformanceIT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced.
• Principle 6: Human BehaviourIT policies, practices and decisions demonstrate respect for Human Behaviour, including the current and evolving needs of all the ‘people in the process’.
9
Key assets governance
Board
Executive committee
Key assets
Human assets
Financial assets
Physical assets
IP assets
Inform. & IT assets
Relationship assets
IT governance practices
Financial governance practices
Board
Executive committee
Key assets
Human assets
Financial assets
Physical assets
IP assets
Inform. & IT assets
Relationship assets
IT governance practices
Financial governance practices
10
IT Governance versus IT Management(Peterson, 2003)
BusinessOrientation
Tim e Orientation
External
Internal
Present Future
IT M anagem ent
IT IT GovernanceGovernance
11
StructuresRoles and responsibilities, IT organisation
structure, CIO on Board, IT strategy committee, IT steering committee(s)
ProcessesStrategic Information Systems Planning, (IT) BSC, Information Economics, SLA, COBIT,
Val IT, ITIL, IT alignment / governance maturity models
Enterprise governance of IT
Relational mechanismsActive participation and collaboration between principle
stakeholders, Partnership rewards and incentives, Business/IT co-location, Cross-functional business/IT
training and rotation
Structures, processes and relational mechanisms
12
Roles & responsibilities(Weill & Woodham)
Anarchy
Duopoly
Federal
Feodal
IT monarchy
B. monarchy
decisionInputDecisionInputDecisionInputDecisionInputDecisionInput
IT investmentBusinessApplication
needs
ITInfrastructure
strategies
IT architectureIT principles
Anarchy
Duopoly
Federal
Feodal
IT monarchy
B. monarchy
decisionInputDecisionInputDecisionInputDecisionInputDecisionInput
IT investmentBusinessApplication
needs
ITInfrastructure
strategies
IT architectureIT principles
Top three governance performers (achieving 4 performance objectives, weighted by importance)
Structures: Roles & responsibilities(Weill & Woodham)
13
Structures: Principles for Enterprise Governance of IT
• IT is a professional organization that effectively and efficiently manages its resources in alignment with the needs of the organization.
• IT is the exclusive provider of IT services. Outsourcing is always organised in joint partnership between business and IT.
• IT is pro-actively engaged in further developing and innovating the organization.• IT primarly develops and maintains compentencies that are aligned to and required for
supporting the expertise available in the organization.• The priorities within IT are aligned to the strategic goals of the organizations through
integrated planning cycles. • All IT applications comply with rules and policies as mutually agreed upon by business
and IT• IT is pro-actively engaged in reviewing and designing efficient business processes.• IT and the business collaborate based on fixed agreements. Based on a scope definition,
impact analysis and capacity reviews, both business and IT committ for timely delivery within quality requirements.
• There is transparancy on the required service quality that IT has to deliver to the business, and this service quality is continuously monitored.
• Starting from the initial development of new business project, the potential impact on IT needs to be analysed.
14
Structures: IT strategy committee(IT Governance Institute, 2002)
• a board may carry out its IT governance duties through an IT strategy committee
• the IT strategy committee has to consider:• how the board should become involved in IT governance• how to integrate the board’s role in IT and business strategy
• the IT strategy committee needs to offer expertise and timely advice and direction on topics such as:
• the alignment of IT with the business directions• the achievement of strategic IT objectives• the availability of suitable IT resources, skills and infrastructure• optimization of IT costs• the role and the value delivery of external IT sourcing• risk, return and competitive aspects of IT investments• progress on major IT projects• measurement of IT performance
15
Structures: IT strategy committee(IT Governance Institute, 2002)
•membership:•chairman (board member) •several board members•IT experts as external advisors
•the IT strategy committee should work in close partnership with•other board committees•management committees
16
Structures: IT strategy committee versus IT steeringcommittee (IT Governance Institute, 2002)
• an IT strategy committee is on board level whereas an IT steering committee ison executive level
• an IT steering committee:• assists the executive in the delivery of the IT strategy• oversees day-to-day management of IT service delivery and IT projects• focuses on implementation
• membership of an IT steering committee• sponsoring executive• business executive (key users)• CIO• key advisors as required (IT, audit, legal, finance)
17
Processes: Balanced Scorecard(Van Grembergen et al., 2002; Van Der Zee and De Jong, 1999)
• basic idea of the BSC is that traditional financial measures should besupplemented with measures concerning customer satisfaction, internal processes,and the ability to innovate
• the BSC, initially developed at enterprise level, can also be applied to IT and through a cascade of business and IT scorecards integrated business and ITmanagement can be realized
• when using the BSC alignment method, business goals and the drivers of business success are identified, including specific IT drivers (In this way, IT can be integrated in the business).
• IT BSC is becoming a popular tool with its concepts widely supported andand dispersed by consultant groups
18
Generic IT Balanced Scorecard
CorporateContribution
FutureOrientation
UserOrientation
OperationalExcellence
19
Corporate Contribution Scorecard
Business/IT Alignment Operational plan/budget approval N/A
Value Delivery Measured in business unit performance N/A
Cost Management Attainment of expense and recovery targets Attainment of unit cost targets
Industry expenditure comparisons Compass operational “Top Performing” levels
Risk Management Results of internal audits Execution of Security Initiative Delivery of Disaster Recovery Assessment
OSFI Sound Business Practices N/A N/A
Inter-company Synergy Achievement
Attainment of targeted integration cost reductions Single system solutions Target State Architecture approval IT organization integration
Merger & Acquisition guidelines N/A N/A N/A
ObjectiveObjective MeasuresMeasures BenchmarkBenchmark
To enable and contribute to the achievement of business objectives through effective delivery of value added information services.
20
User Orientation Scorecard
ObjectiveObjective MeasuresMeasures BenchmarkBenchmark
Competitive Costs Attainment of unit cost targets Compass operational “Top Performing” levels
Blended labour rates Market comparisons
Development Services Performance
Major project success scores: • recorded goal attainment • sponsor satisfaction rating • project governance rating
N/A
Operational Services Performance Attainment of targeted service levels Competitor comparisons
Customer Satisfaction Business unit survey ratings: • cost transparency and levels • service quality and responsiveness • value of I.S. advice and support • contribution to business objectives
N/A
To be the supplier of choice for all information services, either directly or indirectly through supplier relationship
21
Operational Excellence Scorecard
ObjectivesObjectives MeasuresMeasures BenchmarkBenchmark
Development Process Performance Function point based measures of: • productivity • quality • delivery rate
TBD
Operational Process Performance Benchmark based measures of: • productivity • responsiveness • change management effectiveness • incident occurrence levels
• Selected Compass Benchmark studies
Process Maturity Assessed levels of maturity and compliance in priority processes within: • planning and organization • acquisition and implementation • delivery and support • monitoring
TBD (ITGI)
Enterprise Architecture Management
• Major project architecture approval • Product acquisition compliance to
technology standards • “State of the Infrastructure”
assessment
N/A
To deliver timely and effective IT services at targeted service levels and costs
22
Future Orientation Scorecard
ObjectivesObjectives MeasuresMeasures BenchmarkBenchmark
Human Resource Management Results against targets: • staff complement by skill type • staff turnover • staff “billable” ratio • professional development days per
staff member
N/A Market comparison Industry standard Industry standard
Employee Satisfaction Employee satisfaction survey scores in: • compensation • work climate • feedback • personal growth • vision and purpose
North American technology dependent companies
Knowledge Management Delivery of internal process improvements to “Cybrary” Implementation of “lessons learned” sharing process
N/A N/A
To develop the internal capabilities to continuously improve performance through innovation, learning and personal organizational growth
23
Operational Services
Scorecards
Development Services
Scorecards
Governance Services
Scorecards
IT strategic balanced scorecard
Business Objectives
Cascade of scorecards
24
Roll-up to Service Level Performance metrics in IS
Strategic Scorecard
Average Speed of AnswerResolution Rate at Initial CallCall Abandonment Rate
Corporate ContributionExpense Management *Cost per ContactCost per User
Customer OrientationClient Satisfaction *Average Speed of AnswerResolution Rate at Initial CallCall Abandonment RateCustomer Caused Incidents
IS ProcessDS8 Process Maturity (Incident
Management)Call VolumePercent Automatically Logged
IncidentsCall Monitoring: Quality of Tickets
& Quality of CallsAverage Number of Calls/Agent
Future OrientationStaff Complement *Staff Turnover *PD Days/Staff Member *Employee Satisfaction *Implementation of Knowledge
Base Tool
IS Service Desk Unit Scorecard
* Will Aggregate as part of the I.S. Strategic Scorecard
25
THEN
Causal relationships
THEN
THEN IF
Carrying out the roles of the IT division's mission
(operational excellence)
Measuring up to business expectations governance
(user orientation)
Ensuring effective IT Governance
(business contribution)
(future orientation)
Building the foundation for delivery and continuous
learning and growth
26
MATURITY LEVEL 1: There is evidence that the organization has recognized that there is a need for a measurement system for its information technology division. There are ad hoc approaches to measure IT with respect to the two main IT processes, i.e. operations and systems development. This measurement process is often and individual effort in response to specific issues.
MATURITY LEVEL 2: Management is aware of the concept of the IT balanced scorecard and has communicated its intent to define appropriate measures. Measures are collected and presented to management in a scorecard. Linkages between outcome measures and performance drivers are generally defined but are not yet precise, documented or integrated into strategic and operational planning processes. Processes for scorecard training and review are informal and there is no compliance process in place.
MATURITY LEVEL 3: Management has standardized, documented and communicated the IT BSC through formal training. The scorecard process has been structured and linked tobusiness planning cycle. The need for compliance has been communicated but compliance is inconsistent. Management understands and accepts the need to integrate the IT BSC within the alignment process of business and IT. Efforts are underway to change the alignment process accordingly.
MATURITY LEVEL 4: The IT BSC is fully integrated into the strategic and operational planning and review systems of the business and IT. Linkages between outcome measures and performance drivers are systematically reviewed and revised based upon the analysis of results. There is a full understanding of the issues at all levels of the organization that is supported by formal training. Long term stretch targets and priorities for IT investment projects are set and linked to the IT scorecard. A business scorecard and a cascade of IT scorecards are in place and are communicated to all employees. Individual objectives of IT employees are connected with the scorecards and incentive systems are linked to the IT BSC measures. The compliance process is well established and levels of compliance are high.
MATURITY LEVEL 5: The IT BSC is fully aligned with the business strategic management framework and vision is frequently reviewed, updated and improved. Internal and external experts are engaged to ensure industry best practices are developed and adopted. The measurements and results are part of management reporting and are systematically acted upon by senior and IT management. Monitoring self-assessment and communication are pervasive within the organization and there is optimal use of technology to supportmeasurement, analysis, communication and training.
IT BSC maturity model
27
Processes: Information Economics(Parker, M., 1996; Van Grembergen and Van Bruggen, 1997)
• the information economics method is an alignment technique whereby bothbusiness and IT score IT projects
• this evaluation methods takes into account the ROI of a project and differentnon-tangibles such as “strategic match of the project” (business evaluation) and “match with the strategic IT architecture” (IT evaluation)
• information economics is a scoring technique resulting in a weighted totalscore based on the scores for the ROI and the non-tangibles (typically scoresfrom 0 to 5 are attributed whereby 0 means no contribution and 5 refersto a high contribution)
• information economics can be used as an alignment process with as objectivesto prioritize and select projects
28
29
Processes: COBIT and VALIT as frameworks for Enterprise Governance of IT
Enterprise Governance of IT
COBITFocus on IT processes
Val ITFoucs on IT- related business processes
Enterprise Governance of IT
COBITFocus on IT processes
Val ITFocus on IT- related business processes
30
PO1. define a strategic IT planPO2. define the information architecturePO3. determine technological directionPO4. define the IT processes, organization and relationshipsPO5. manage the IT investmentPO6.communicate management aims and directionPO7. manage IT human resourcesPO8. manage qualityPO9. assess and manage riskPO10. manage projects
AI1. identify automated solutionsAI2. acquire and maintain application softwareAI3. acquire and maintain technology infrastructureAI4. enable operation and useAI5. procure IT resourcesAI6. manage changesAI7. install and accredit solutions and changes
ME1. monitor and evaluate IT performanceME2. monitor and evaluate internal controlME3. ensure regulatory complianceME4. provide IT governance
DS1. define and manage service levelsDS2. manage third party servicesDS3. manage performance and capacityDS4. ensure continuous serviceDS5. ensure systems securityDS6. identify and allocate costsDS7. educate and train usersDS8. manage service desk and incidentsDS9. manage the configurationDS10. manage problems DS11. manage dataDS12. manage the physical environmentDS13.manage operations
INFORMATIONINFORMATION
• data• application systems• Infrastructure• people
• data• application systems• Infrastructure• people
PLANNING AND ORGANISATIONPLANNING AND ORGANISATION
ACQUISITION ANDIMPLEMENTATIONACQUISITION ANDIMPLEMENTATION
DELIVERY AND SUPPORT
DELIVERY AND SUPPORT
MONITOR AND EVALUATE
MONITOR AND EVALUATE
• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability
• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability
Criteria
IT RESOURCESIT RESOURCES
Business and Governance ObjectivesCOBIT Framework
31
p High-level and detailed Control Objectives
pManagement Guidelines
p Inputs – outputs
p RACI chart
p Goals and metrics
pMaturity models
pAssurance Guidelines – Implementation Guidelines
The Major Elements of COBIT
COBIT Control Objectives
33
Example: Detailed Control Objectives for Manage Changes (AI6)
AI6.1 Change Standards and ProceduresSet up formal change management procedures to handle in a standardised manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.
AI6.2 Impact Assessment, Prioritisation and AuthorisationEnsure that all requests for change are assessed in a structured way for impacts on the operational system and its functionality. This assessment should include categorisation and prioritisation of changes. Prior to migration to production, changes are authorized by the appropriate stakeholder.
AI6.3 Emergency ChangesEstablish a process for defining, raising, assessing and authorising emergency changes that do not follow the established change process. Documentation and testing should be performed, possibly after implementation of the emergency change.
AI6.4 Change Status Tracking and ReportingEstablish a tracking and reporting system for keeping change requestors and relevant stakeholders up to date about the status of the change to applications, procedures, processes, system and service parameters, and the underlying platforms.
AI6.5 Change Closure and DocumentationWhenever system changes are implemented, update the associated system and user documentation and procedures accordingly. Establish a review process to ensure complete implementation of changes.
34
1. Establish a service desk as a single, initial point of contact for the reporting, monitoring, escalation and resolution of customer requests and incidents. Develop business requirements for the service desk, based on service definitions and SLAs, including hours of operation and expected response time to a call. Ensure that service desk requirements include identifying staffing, tools and integration with other processes, such as change management and problem management.
2. Ensure that there are clear instructions for service desk staff when a request cannot be immediately resolved by service desk personnel. Establish time thresholds to determine when escalation should occur based on the categorisation/prioritisation of the request or incident.
3. Implement the necessary support software and tools (e.g., incident management, knowledge management, incident escalation systems, automated call monitoring) required for operation of the service desk and configured in accordance with SLA requirements, to facilitate automated prioritisation of incidents and rapid resolution.
4. Advise customers of the existence of the service desk and the standards of service they can expect. Obtain user feedback on a regular basis to ensure customer satisfaction and confirm the effectiveness of the service desk operation.
5. Using the service desk software, create service desk performance reports to enable performance monitoring and continuous improvement of the service desk.
DS8.1 Service DeskEstablish a service desk function, which is the user interface with IT, to register, communicate, dispatch and analyse all calls, reported incidents, service requests and information demands. There should be monitoring and escalation procedures based on agreed-upon service levels relative to the appropriate SLA that allow classification and prioritisation of any reported issue as an incident, service request or information request. Measure end users’ satisfaction with the quality of the service desk and IT services.
COBIT - IT Control Practices
35
COBIT COBIT
Management GuidelinesManagement Guidelines
Inputs Inputs ––OutputsOutputs
36
Each process has primary inputs and outputs with process linkages
Risk AppetiteBusiness Strategy
Understanding of the business context, capability and capacity
Mission and Goals
Service PortfolioProject PortfolioTactical PlanStrategic Plan
InputsOutputs
PO1
37
COBIT COBIT
Management GuidelineManagement Guideline
RACI ChartRACI Chart
38
RACI chart providing roles and
responsibilitiesCEO
CFO BusinessExecutive
CIO
BusinessSr Management
Head ofOperations
ChiefArchitect or CTO
Head ofDevelopment
Head ofIT Admin
HR, Fin, etc
CARS
PMO
CEO
CFO BusinessExecutive
CIO
BusinessSr Management
Head ofOperations
ChiefArchitect or CTO
Head ofDevelopment
Head ofIT Admin
HR, Fin, etc
CARS
PMO
PO1
39
COBIT COBIT
Management GuidelineManagement Guideline
Goals and metricsGoals and metrics
40
Example: Goals and metricsfor Manage Changes (AI6)
41
COBIT COBIT
Maturity modelsMaturity models
42
Example: Maturity Modelfor Manage Changes (AI6)
0 Non-existent whenThere is no defined change management process and changes can be made with virtually no control. There is no awareness that change can be disruptive for IT and business operations, and no awareness of the benefits of good change management.1 Initial/ Ad Hoc whenIt is recognised that changes should be managed and controlled. Practices vary and it is likely that unauthorised changes take place. There is poor or non-existent documentation of change, and configuration documentation is incomplete and unreliable. Errors are likely to occur together with interruptions to the production environment caused by poor change management.2 Repeatable but Intuitive whenThere is an informal change management process in place and most changes follow this approach; however, it is unstructured, rudimentary and prone to error. Configuration documentation accuracy is inconsistent and only limited planning and impact assessment takes place prior to a change.3 Defined Process whenThere is a defined formal change management process in place, including categorisation, prioritisation, emergency procedures, change authorisation and release management, and compliance is emerging. Workarounds take place and processes are often bypassed. Errors may still occur and unauthorised changes occasionally occur. The analysis of the impact of IT changes on business operations is becoming formalised, to support planned rollouts of new applications and technologies.4 Managed and Measurable whenThe change management process is well developed and consistently followed for all changes, and management is confident that there are minimal exceptions. The process is efficient and effective, but relies on considerable manual procedures and controls to ensure that quality is achieved. All changes are subject to thorough planning and impact assessment to minimisethe likelihood of post-production problems. An approval process for changes is in place. Change management documentation is current and correct, with changes formally tracked. Configuration documentation is generally accurate. IT change management planning and implementation are becoming more integrated with changes in the business processes, to ensure that training, organisational changes and business continuity issues are addressed. There is increased co-ordination between IT change management and business process redesign. There is a consistent process for monitoring the quality and performance of the change management process.5 Optimised whenThe change management process is regularly reviewed and updated to stay in line with good practices. The review process reflects the outcome of monitoring. Configuration information is computer-based and provides version control. Tracking of changes is sophisticated and includes tools to detect unauthorised and unlicensed software. IT change management is integrated with business change management to ensure that IT is an enabler in increasing productivity and creating new business opportunities for the organisation.
43
PortfolioPortfolioManagementManagement
Programme Programme ManagementManagement
Project Project ManagementManagement
Programme – a structured grouping of projects that are both necessary and sufficient to achieve a business outcome and deliver value, including business change management, business processes, people, etc. (primary unit of investment within VALIT)
Project – a structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget (that is necessary but not sufficient to achieve a required business outcome)
Portfolio – a suite of business programmes managed to optimise overall enterprise value
Val IT: Projects, Programmes, Portfolios and Value
Value – the end business outcome expected from an IT-enabled business investment where such outcomes may be financial, non-financial or a combination of the two.
44
Val IT - Relationship between Processes & Practices
MMaannaaggee tthhee IInnvveessttmmeennttss ((IIMM))
MMaannaaggee tthhee IInnvveessttmmeenntt PPoorrttffoolliioo ((PPMM))
Establish informed and committed leadership
Define and implement processes Define portfolio types
Align and integrate Value Management with enterprise financial
planning
Establish effective governance monitoring
Establish strategic direction and target investment mix
Determine availability and sources of funding
Human Resource Management
Evaluate and select programmes to fund
Monitor and report on portfolio performance
Optimise portfolio performance
Develop the programme plan
Launch and manage the programme
Develop full life cycle costs and benefits
Monitor and report on the programme
Update operational IT portfolios
Retire the programme
Develop and evaluate initial programme concept business case
Understand candidate programme and implementation options
Develop detailed candidate programme business case
Update the business case
EEssttaabblliisshh GGoovveerrnnaannccee FFrraammeewwoorrkk ffoorr VVaalluuee MMaannaaggeemmeenntt ((VVGG)) Implement lessons learned
45
VG processes
• VG01 Establish informed and committed leadership:- VG01.1 Develop an understanding of significance of IT and role of
governance- VG01.2 Establish effective reporting lines- VG01.3 Establish a leadership forum- VG01.4 Define value for the enterprise- VG01.5 Ensure alignment and integration of business and IT strategies
with key business goals• VG02 Define and implement processes:
- VG02.1 Define the value governance framework- VG02.2 Assess the quality and coverage of current processes- VG02.3 Identify and prioritise process requirements- VG02.4 Define and document processes- VG02.5 Establish, implement and communicate roles, responsibilities and
accountabilities- VG02.6 Establish organisational structures
• VG03 Define portfolio characteristics:- VG03.1 Define portfolio types- VG03.2 Define categories (within portfolios) - VG03.3 Develop and communicate evaluation criteria (for each category) - VG03.4 Assign weightings to criteria- VG03.5 Define requirements for stage-gates and other reviews (for each
category)
46
Example
Turnaround ModeSupport Mode
Strategic ModeFactory Mode
Turnaround ModeSupport Mode
Strategic ModeFactory Mode
Low
tohi
gh n
eed
forr
elia
ble
info
rmat
ion
tech
nolo
gy
Low to high need for new information technology
Nolan R., McFarlan F.W., 2005, Information Technology and Board of Directors, Harvard Business Review
VG01.1 Develop an understanding of significance of IT and role of governance
47
Change The Rule
Win The Race
Stay In The Race
Example
Transactional
Infrastructure
StrategicInformational
Increased salesCompetitive advantageCompetitive necessityMarket positioningInnovative services
Business integrationBusiness flexibility and agilityReduced marginal costs of business unit’s ITReduced IT costs over timeStandardization
Cut costsIncreased throughput
Increased controlBetter informationBetter integrationImproved quality
Investment budgetMajor business enablement
and infrastructure budgeteg. implementation SAP
Continuity budgetUpgrade or enhancement of
existing applicationseg. implementation of specific
reporting due to legal requirements
Maintenance budgetBreak/fix projects under eight
man weekseg. creation of new screens
Production budget
ICT
basi
c bu
dget +/- 50%
+/- 50%
+/- 33%
+/- 33%
+/- 33%
McKinsey
Weill
KBC
VG03.2 Define categories (within portfolios)
48
Example
VG03.3 Develop and communicate evaluation criteria (for each category)
NO IMPACT ON
MANAGEMENT
EFFECTIVENESS
NO URGENCYNO IMPACT ON COMPETITIVE
POSITION> 6< 200LOW
ONGOING SUPPORT
FOR OTHER MANAGEMEN
T
AVOID SMALL PROBLEMS IN OPERATIONAL
USAGE
IMPROVE PERFORMANCE
ON OTHER BUYING
FACTORS
4 – 6200 – 500MEDIUM
LOW
HIGH IMPACT FOR OTHER
MANAGEMENT
REDUCE WEEK POINTS IN CURRENT
OPERATIONS
IMPROVE PERFORMANCE SLIGHTLY ON
CUSTOMER KEY BUYING
FACTORS
2.5 – 4500 – 1000MEDIUM
OTHER SUPPORT FOR KEY DECISION MAKERS
ELIMINATE CRITICAL
OPERATIONAL HANDICAPS
IMPROVE PERFORMANCE ON CUSTOMER
KEY BUYING FACTORS FOR
OTHER SEGMENTS
1.5 – 2.51000 –2000
MEDIUM
HIGH
HIGH IMPACT SUPPORT FOR KEY DECISION MAKERS
DIRECT REACTION ON
EXTREME OPERATIONAL
RISK, CHANGED LEGAL OR
OPERATIONAL ENVIRONMENT,
EXTREME MAINTENANCE
RISK
IMPROVE PERFORMANCE SIGNIFICANTLY ON CUSTOMER
KEY BUYING FACTORS FOR
STRATEGIC SEGMENTS
< 1.5> 2000HIGH
DECISIONSUPPORT
OPERATIONALURGENCY
COMPETITIVEADVANTAGE
PROFITABILITY:
PAY BACK TIME
(YEARS)
NUMBER OF
PLANNEDMAN DAYS
BASIC CRITERIAPROJECT CLASS
PROJECTCLASS
Decision supportOperational urgency
HMHMMLLHMHMMLL
54321L54321L
43211ML54311ML
32111M53211M
21111MH53211MH
11111H52111H
Competitive advantageProfitablity
HMHMMLLHMHMMLL
55421L54321L
54311ML54321ML
44211M43321M
43211MH43211MH
32111H32211H
Proj
ect c
lass
Proj
ect c
lass
Proj
ect c
lass
Proj
ect c
lass
Sidmar-Arcelor
A 5 points on at least one criterion
Accept, high priority
B 4 points on profitability or 3 points on at least two criteria
Accept
C 3 points on profitability or total of 7 points
Accept if resources available
D 3 points on one criterion
Accept only if subcontractable
E All other projects
Decline
49
VG processes
• VG04 Align and integrate Value Management with enterprise financial planning:- VG04.1 Review current enterprise budgeting practices- VG04.2 Determine Value Management financial planning practice
requirements- VG04.3 Identify changes required- VG04.4 Implement optimal financial planning practices for Value
Management• VG05 Establish effective governance monitoring:
- VG05.1 Identify key metrics - VG05.2 Define information capture processes and approaches- VG05.3 Define reporting methods and techniques- VG05.4 Identify and monitor performance improvement actions
• VG06 Continuously improve Value Management practices- VG06.1 Implement lessons learnt
50
PM processes
• PM01 Establish strategic direction and target investment mix:- PM 1.1 Review and ensure clarity of business strategy and goals- PM 1.2 Identify opportunities for IT to support and influence the business
strategy- PM 1.3 Define appropriate investment mix- PM 1.4 Translate business strategy and goals into IT strategy and goals
• PM02 Determine the availability and sources of funds:- PM02.1 Determine overall investment funds
• PM03 Manage availability of human resources:- PM03.1 Create and maintain an inventory of business human resources- PM03.2 Understand the current and future demand (for business human
resources)- PM03.3 Identify shortfalls (between current and future business human
resource demand)- PM03.4 Create and maintain tactical plans (for business human resources)- PM03.5 Monitor, review and adjust (business function allocation and
staffing)- PM03.6 Create and maintain an inventory of IT human resources- PM03.7 Understand the current and future demand (for IT human
resources)- PM03.8 Identify shortfalls (between current and future IT human resource
demand) - PM03.9 Create and maintain tactical plans (for IT human resources)- PM03.10 Monitor, review and adjust (IT Function allocation and staffing)
51
IT Goals
Develo
ping i
nnov
ative
IT se
rvice
s with
a foc
us on
inform
ation
secu
rity
Fulfillin
g SLA
's with
busin
ess d
epart
ments
Increa
sing I
T depa
rtmen
t effic
iency
Integ
ration
and c
onso
lidati
on of
diffe
rent IT
depa
rtmen
tsIT di
saste
r rec
overy
and b
usine
ss co
ntinu
ity
IT gove
rnanc
e / IT
strat
egic
align
ment
IT mea
sures
to sa
tisfy
Basel
II req
uirem
ents
Loweri
ng co
st of
trans
actio
n proc
essin
g
Making
IT m
easu
rable
Optimizin
g the
IT in
frastr
uctur
e
Rapid
deve
lopmen
t of n
ew IT
servi
ces
Reduc
ing ex
terna
l staf
f
Standa
rdisin
g IT sy
stems
Business GoalsAchieving compliance with Basel II regulations S S PImproving competitiveness through IT P P S PImproving customer orientation and service P S P S S P SPost-merger integration and consolidation P S S S SReducing operational cost P P S S P P P P PReducing transaction cost P S S P P S SRisk management S P S S P P S P SShortening service development lifecycle S S PTailoring solutions for different target groups P S
Example
PM 1.4 Translate business strategy and goals into IT strategy and goals
52
PM processes
• PM04 Evaluate and select programmes to fund:- PM 4.1 Evaluate and assign relative scores to programme business cases- PM 4.2 Create overall investment portfolio view- PM 4.3 Make and communicate investment decisions- PM 4.4 Specify stages-gate and allocate funds to selected programmes- PM 4.5 Adjust business targets, forecasts and budgets
• PM05 Monitor and report on investment portfolio performance- PM 5.1 Monitor and report on portfolio performance
• PM06 Optimise investment portfolio performance- PM 6.1 Optimise portfolio performance- PM 6.2 Reprioritise the portfolio
53
Scoring investeringsdossiersATS Trekk.
ATSPnr Naam dossier
Ren
dem
ent
Aan
slui
ting
op
stra
tegi
e
Com
petit
ief
voor
deel
en
nood
zaak
Noo
dzaa
k
Ond
erst
euni
ng
man
agem
ent
Info
rmat
ie
arch
itect
uur
Ver
min
derin
g op
erat
ione
le
risic
o's
Pro
ject
risic
o &
or
gani
sato
risch
ris
ico
Func
tione
le
onze
kerh
eid
Tech
nisc
he
onze
kerh
eid
InvesteringsdossiersDoorlopende dossiers in 2004
RET MKT 0020 Intrest and liquidity risk (ALM_TDI) 1 5 4 5 5 5 5 2 5 5OND OND 0021 Quantitative Credit Risk Management (QCR) 4 5 5 5 5 5 1 4 5 5RET RET 0119 KBD : Multikanalen krediettoep. aan particulieren 4 5 4 3 3 5 5 2 1 1RET RET 0202 KIT 4 5 4 4 3 3 5 3 1 3RET RET 0232 Oleander (totaaloplossing Leven Ondernemingen) 1 5 5 1 3 5 3 3 1 2NAV NAV 0245 Collateral Management Fase 2 5 3 3 1 3 5 5 3 3 4BED BED 0292 Bankwijd Web-enablen van ICMtoepassingen 4 5 5 1 3 1 1 4 1 3NAV NAV 0397 IPE / EBOBA 1 5 4 1 3 5 3 4 5 4NAV NAV 0399 Verwerking OTC Derivaten 4 5 4 4 3 5 4 1RET RET 0403 VA Front-end LevenRET RET 0406 Product fabriek Schadeverzekeringen 2 5 4 1 1 5 3 4 1 3OND OND 0442 Operationeel Risicobeheer 5 5 5 5 5 3 5 3 3 3RET RET 0449 Herwerken cliënten output 5 5 4 5 1 5 5 3 5 2OND OND 0456 IAS Verzekeringen 4 5 4 5 5 3 3 4 5 3OND OND 0479 Beperking van de volatiliteit onder IAS 1 5 3 5 5 3 1 4 5 2OND OND 0501 ERP voor ondersteunende diensten B+VRET RET 0518 OFS (Ontwikkeling Financiele Services) 4 5 4 1 3 5 5 3 1 3
NieuweRET RET 0308 Migratie Centea 1 5 3 1 5 5 3 3 1 3OND OND 0480 Reconciliatietool 1 5 1 3 3 5 1 3 3RET RET 0884 Pleander Voorstudie Particulieren leven anders 1 5 5 2 3 5 3 2 5 2OND OND 0887 Europese Spaarfiscaliteit 1 5 4 3 3 5 4 5 1OND OND 0899 ERP - Fase 2 1 5 5 5 5 3 5 4 5 3
Geel Groen Rood
Risico'sWaardecategorie
PM 4.1 Evaluate and assign relative scores to programmebusiness cases
Example
54
Example
Financial Worth
vs.
RiskLegendLegend
Green = “Are” Risk score between 1 & 3.9
Yellow = “Are” Risk score between 4 & 6.9
Red = “Are” Risk score between 7 & 10
Right Things Confirmed Benefits
Right Way Done Well
Program
10
9
8
7
6
5
4
3
2
1
010 9 8 7 6 5 4 3 2 1 0
Overall RiskOverall Risk
Fina
ncia
l Wor
thFi
nanc
ial W
orth
Program 21Program 13
Program 03
Program 02Program 24
Program 19Program 17
Program 09
Program 01
Program 06
Program 23 Program 08
Program 11
Program 16
Program 12 Program 07
Program 15
Hold
Proceed
Stop
Source: Fujitsu
PM 4.2 Create overall investment portfolio view
55
IM processes
• IM01 Develop and evaluate initial programme concept business case:- IM01.1 Recognise investment opportunities - IM01.2 Develop initial programme concept business case- IM01.3 Evaluate initial programme concept business case
• IM02 Understand the candidate programme and implementation options:- IM02.1 Develop a clear and complete understanding of the candidate
programme- IM02.2 Perform alternatives analysis
• IM03 Develop the programme plan:- IM03.1 Develop a programme plan
• IM04 Develop full life-cycle costs and benefits:- IM04.1 Identify full life-cycle costs and benefits- IM04.2 Develop benefits realisation plan- IM04.3 Perform appropriate reviews and obtain sign-offs
• IM05 Develop the detailed candidate programme business case:- IM05.1 Develop detailed programme business case- IM05.2 Assign clear accountability and ownership- IM05.3 Perform appropriate reviews and obtain sign-offs
56
IM04.1 Identify full
life-cycle costs and
benefits
57
Example
Programme Outputs/
Capability
ISACA Strategic Objectives
Operational &Business Changes
Outcomes IntermediateBenefits End Benefits
Example - Enhanced web &E – commerceSystemFaster search engine
Example –Business Process Reengineeringe.g. Registration, Exams &certification
Example -More Automated Processes, Less outages
Example Improved Online selfHelp, reducedCalls for helpReducing costs
Example –CreateExpanded access toKnowledge &Networking Opportunities
ISACAStrategy MapE.G A07Enhance Community Experience
We are here on the Journey
LEGEND – Output describes a feature or enables a new outcomeOutcome is the desired operational resultBenefit is the measurement of an outcome and describes an advantage accruing from the outcome .An End Benefit is a direct contribution to a strategic objective.
IM04.2 Develop benefits realisation
plan
(example of a web2.0 programme)
58
Example
1. Cover sheetProgramme nameBusiness sponsorProgramme managerRevision notesValidation signaturesApproval signature
2. Executive summaryProgramme contextNameBusiness ssponsorTrack record of management teamCategory of investmentProgramme description/profileSynopsis of business case assessmentProgramme contribution (value)Programme timing (schedule)Risk, financial return and alignment scoresDependenciesKey risksComparative value summary
3. Are we doing the right things? (Why?)Financial benefits (full economic life cycle, best case, worst case, most likely case)Financial costs (full economic life cycle, full IT and business costs, best case, worst case, most likely case)Non-financial benefits (alignment)Non-financial (alignment, efficiency) costsRisk analysis (key risks and mitigation strategies)Organisational change impactImpact of not doing the programme - Opportunity cost
IM05.1 Develop detailed programme business case
59
Example4. Are we doing things the right way? (What and How?)Alternative approachesSelected approachHigh-level analytic modeProgramme milestonesCritical success factorsProgramme dependenciesEnterprise architecture complianceSecurity policy complianceKey risks
5. Are we doing things well? (How?)Programme execution planHigh-level benefits realisation planRisk managementChange managementGovernance structure (controls)Key risks
6. Are we getting the benefits?Description of benefits (projected life, full economic life cycle, best case, worst case, most likely, or base, case)High-level benefits registerFinancial benefitsKey risks
7. AppendicesDetailed analytic modelDetailed project planDetailed risk management planDetailed benefits realisation planFull benefits register
IM05.1 Develop detailed programme business case
60
IM processes
• IM06 Launch and manage the programme:- IM06.1 Plan projects, resource and launch the programme- IM06.2 Manage the programme- IM06.3 Track and manage benefits
• IM07 Update operational IT portfolios:- IM07.1 Update operational IT portfolios
• IM08 Update the business case:- IM08.1 Update the business case
• IM09 Monitor and report on the programme:- IM09.1 Monitor and report on programme (solution delivery) performance- IM09.2 Monitor and report on business (benefit/outcome) performance- IM09.3 Monitor and report on operational (service delivery) performance
• IM10 Retire the programme:- IM10.1 Retire the programme
61
VALIT Management Guidelines
Inputs / outputs
RACI
Goal & metrics
From Inputs Outputs* High-level business requirements Initial business case IM2 COBIT PO1COBIT PO5 COBIT AI1
PM1 Appropriate investment mix Initial business case approval IM3 IM4 IM6 COBIT PO1 COBIT PO10IM1 Initial business case COBIT AI1
COBIT PO1 IT services portfolioCOBIT PO5 IT cost-benefit estimatesCOBIT PO9 Risk assesment
To
Board
CEO
Com
pliance
, R
isk,
Audit
Secu
rity
In
vest
ment
and S
erv
ices
Board
Valu
e
Managem
ent
Off
ice
CFO
CIO
Busi
ness
Sponso
r
Pro
gra
mm
e
Manager
Pro
gra
mm
e
Managem
ent
Off
ice
Busi
ness
M
anagem
ent
Pro
ject
M
anagem
ent
Off
ice
Create an environment that fosters and welcomes new ideas and acknowledges their champions.
R A/R R R
Suggest new opportunities. R A/R R R R R R R
Capture opportunities for investment programmes to create value in support of the business strategy or to address operational or compliance issues.
C C C R C R A/R
Categorise the opportunity. Clarify expected business outcome(s) and identify, at a high level, business, process, people, technology and organisational initiatives required to achieve the expected outcomes.
C R C C A/R
Determine which opportunities to pursue further or examine in more depth, and identify and assign a business sponsor for each opportunity to be pursued.
C C C C C C A/R C
Describe the business outcome(s) to which the potential programme will contribute, the nature of the programme’s contribution, and how the contribution would be measured.
C C C A R R
Identify high-level initiatives that might be required to achieve these outcomes.
C C A R R
Estimate the high-level benefits, both financial and non-financial, and the costs for the full economic life cycle of the programme.
C C C A R R
State any key assumptions and identify key risks, along with their potential impact on current and future business operations, and mitigation strategies.
C C R A R R
Document the initial programme concept business case with information obtained.
C A R
Review and evaluate the initial programme concept business case.
C C C A R R R
Determine whether the programme should proceed to full programme definition and evaluation.
C C C A R R R
Obtain CIO approval and sign-off on the technical aspects of the initial programme concept business case.
I R A R
Obtain business sponsor approval and sign-off on overall initial programme concept business case. I A R
Activities
Functions
ACTIVITIES PROCESS IM
GO
ALS
• An environment that fosters and captures new ideas exists.• A process and responsibilities for submission and categorisation of new ideas exist and are used.• Champions of new ideas that are adopted are rewarded.• Outlines of potential business initiatives and their outcomes are identified.• High-level benefits and costs are identified for potential investment.• Significant risks, and assumptions and mitigation plans are documented.
• Individuals throughout the enterprise suggest new investment opportunities.• Ideas are collected, understood and categorised correctly for the investment portfolio.• Good ideas are selected efficiently and expediently for further study.• Good ideas are assigned business sponsors.• Documented initial concept business cases with outcomes, benefits, assumptions, costs and risks are prepared.• The content of initial programme
• Ensure that the enterprise’s individual IT-enabled investments contribute to optimal value.
MET
RIC
S
• Number of suggestions• Percentage of champions rewarded• Consistency and compliance of assessments and assumptions with enterprise’s processes and practices• Elapsed time between approval to prepare initial programme concept business case and sign-offs being obtained• Age and backlog of non-processed ideas• Number of programme concept business cases considered
• Percentage of ideas accepted to be developed into initial programme concept business cases• Number of new ideas per investment category• Number of ideas trying to bypass enterprise’s processes and practices• Number and percentage of sign-offs obtained without resubmission• Number and percentage of programme concept business cases that continue to full business case development
• Contribution of individual IT-enabled investments to optimal value
62
Roles & Responsibilities
Role Suggested definitionBoard The group of the most senior executives and/or non-executives of the enterprise,
who are accountable for the governance of the enterprise and have overall control of its resources
Business sponsor (incl. service owner)
The individual accountable for delivering benefits and value to the enterprise from an IT-enabled business investment programme
Business unit executives / managers
Business individuals with roles with respect to a programme
Compliance, audit, risk and security (CARS)
The function(s) in the enterprise responsible for compliance, audit, risk and security
Chief Executive Officer (CE0)
The highest ranking officer, who is in charge of the total management of the enterprise
Chief Financial Officer (CF0
The most senior official of the enterprise, who is accountable for financial planning, record keeping, investor relations and financial risks
Chief Information Officer (CIO)
The most senior official of the enterprise, who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information, and the deployment of associated human resources
Investment and services board (ISB)
A management structure primarily accountable for managing the enterprise’s portfolio of investment programmes and existing/current services and, thus, managing the level of overall funding to provide the necessary balance between enterprise-wide and specific line-of-business needs
Head of Human Resources
The most senior official of an enterprise who is accountable for planning and policies with respect to all human resources in that enterprise
Programme Manager
The individual responsible for the achievement of the programme’s objectives
Programme Management Office (PgMO)
The function responsible for supporting programme managers and gathering, assessing and reporting information about the conduct of their programmes and constituent projects
Project Management Office (PMO)
The function for supporting project managers; defining and propagating standardised methodologies; and gathering, assessing and reporting information about the conduct of their projects
Value Management Office (VMO)
The function that acts as the secretariat for the ISB in managing investment and service portfolios, including assessing and advising on investment opportunities and business cases, value governance/management methods and controls, and reporting on progress in sustaining and creating value from investments and services
63
Relational mechanisms(Peterson, 2003)
• Effective communications and knowledge sharing
• Active participation and collaboration of principle stakeholders
• Partnership rewards and incentives
• Business/IT collocation
• Cross-functional business/IT training and job rotation
• IT leadership
• …
64
IT governance international benchmarking
(“IT governance global status report”, ITGI, 2008)
IT governance implementation status
65
IT governance implementation by industry
(“IT governance global status report”, ITGI, 2008)
66
Agenda
• Enterprise Governance of IT
• Enterprise Governance of IT practices
• Enterprise Governance of IT as enabler for business / IT alignment
• Enterprise Governance of IT as enabler for business value
67
Implementation of EGIT in practice
Requires:
A holistic set of
• Governance Processes• Structures• Relational Mechanisms
at all 3 layers of the organization.
Structures Processes
Enterprise governance of IT
Relational mechanisms
68
“a list of 33 EGIT practices based on delphi research”
12 structures12 structures
11 processes11 processes
10 relational mechanisms10 relational mechanisms
69
EGIT: Practices identified & defined structures: 12 practices
xSteering committee at executive or senior managementLevel responsible for determining business priorities in ITinvestments.
IT steering committee (IT investment evaluation /prioritisation at executive / senior management level)
xCIO has a direct reporting line to the CEO and/or COOCIO (Chief Information Officer) reporting to CEO(Chief Executive Officer) and/or COO (ChiefOperational Officer)
xCIO is a full member of the executive committeeCIO on executive committee
xIndependent committee at level of board of directors overviewing (IT) assurance activities(IT) audit committee at level of board of directors
xMembers of the board of directors have expertise andexperience regarding the value and risk of ITIT expertise at level of board of directors
xCommittee at level of board of directors to ensure IT isregular agenda item and reporting issue for the board ofdirectors
IT strategy committee at level of board of directors
E/SB
LevelDefinitionBest Practice
70
EGIT: Practices identified & defined structures: 12 practices
xxDocumented roles & responsibilities includegovernance/alignment tasks for business and IT people (cf. Weill)
Integration of governance/alignment tasks in roles & responsibilities
xCommittee composed of business and IT people providingarchitecture guidelines and advise on their applications. Architecture steering committee
xSteering committee composed of business and IT peoplefocusing on IT related risks and security issuesIT security steering committee
xSteering committee composed of business and IT peoplefocusing on prioritising and managing IT projectsIT project steering committee
xFunction responsible for security, compliance and/or risk,which possibly impacts ITSecurity / compliance / risk officer
xFunction in the organisation responsible for promoting,driving and managing IT governance processesIT governance function / officer
E/SB
LevelDefinitionBest Practice
71
EGIT: Practices identified & defined processes: 11 practices
xFormal agreements between business and IT about IT development projects or IT operationsService level agreements
xMethodology to charge back IT costs to business units, to enable an understanding of the total cost of ownership
Charge back arrangements - total cost of ownership (e.g. activity based costing)
xxPrioritisation process for IT investments and projects in which business and IT is involved (incl. business cases)
Portfolio management (incl. business cases, information economics, ROI, payback)
xxIT performance measurement in domains of corporate contribution, user orientation, operational excellence and future orientation
IT performance measurement (e.g. IT balanced scorecard)
xxFormal process to define and update the IT strategyStrategic information systems planning
E/SB
LevelDefinitionBest Practice
72
EGIT: Practices identified & defined processes: 11 practices
xxFramework for internal controlCOSO / ERM
xxProcesses to monitor the planned business benefits during and after implementation of the IT investments / projects. Benefits management and reporting
xxProcesses to control and report upon budgets of ITinvestments and projects IT budget control and reporting
xProcesses and methodologies to govern and manage ITprojectsProject governance / management methodologies
xxRegular self-assessments or indepent assurance activitieson the governance and control over ITIT governance assurance and self-assessment
xProcess based IT governance and control frameworkIT governance framework COBIT
E/SB
LevelDefinitionBest Practice
73
EGIT: Practices identified & defined relational mechanisms: 10 practices
xBridging the gap between business and IT by means ofaccount managers who act as in-betweenBusiness/IT account management
xxSystems (intranet, …) to share and distribute knowledgeabout IT governance framework, responsibilities, tasks,etc.
Knowledge management (on IT governance)
xTraining business people about IT and/or training ITpeople about businessCross-training
xPhysically locating business and IT people close to eachotherCo-location
xIT staff working in the business units and business peopleworking in ITJob-rotation
E/SB
LevelDefinitionBest Practice
74
EGIT: Practices identified & defined relational mechanisms: 10 practices
xxCampaigns to explain to business and IT people the needfor IT governanceIT governance awareness campaigns
xxInternal corporate communication regularly addressesgeneral IT issues.
Corporate internal communication addressing IT on aregular basis
xxAbility of CIO or similar role to articulate a vision for IT'srole in the company and ensure that this vision is clearlyunderstood by managers throughout the organization
IT leadership
xInformal meetings, with no agenda, where business and ITsenior management talk about general activities,directions, etc. (eg. during informal lunches)
Informal meetings between business and ITexecutive/senior management
xSenior business and IT management acting as "partners"Executive / senior management giving the goodexample
E/SB
LevelDefinitionBest Practice
75
0,0 0,5 1,0 1,5 2,0 2,5 3,0 3,5 4,0 4,5 5,0
COSO / ERMJob-rotation
IT governance assurance and self-assessmentCo-location
Cross-trainingIT security steering committee
IT governance aw areness campaignsBenefits management and reporting
IT governance function / off icerArchitecture steering committee
IT expertise at level of board of directors(IT) audit committee at level of board of directors
Integration of governance/alignment tasks in roles&responsibilitiesKnow ledge management (on IT governance)
Security / compliance / risk off icerCharge back arrangements - total cost of ow nership (e.g. activity based costing)
IT governance framew ork COBITCorporate internal communication addressing IT on a regular basis
Service level agreementsIT strategy committee at level of board of directors
Business/IT account managementInformal meetings betw een business and IT executive/senior management
Strategic information systems planningExecutive / senior management giving the good example
IT leadershipIT performance measurement (e.g. IT balanced scorecard)
IT project steering committeeProject governance / management methodologies
Portfolio management (incl. business cases, information economics, ROI, payback)IT budget control and reporting
CIO on executive committeeCIO reporting to CEO and/or COO
IT steering committee (IT investment evaluation / prioritisation)
0 = not effective, 5 = very effective
Perceived effectiveness of EGIT practices
76
0,0 0,5 1,0 1,5 2,0 2,5 3,0 3,5 4,0 4,5
COSO / ERM
IT expertise at level of board of directorsBenefits management and reporting
Charge back arrangements - total cost of ow nership (e.g. activity based costing)Job-rotation
IT governance framew ork COBIT
IT governance assurance and self-assessmentIntegration of governance/alignment tasks in roles&responsibilities
Portfolio management (incl. business cases, information economics, ROI, payback)Know ledge management (on IT governance)
IT performance measurement (e.g. IT balanced scorecard)Executive / senior management giving the good example
Strategic information systems planningCross-training
IT leadershipProject governance / management methodologies
Co-location
IT governance function / off icerArchitecture steering committee
Service level agreementsIT governance aw areness campaigns
Business/IT account managementIT steering committee (IT investment evaluation / prioritisation)
IT strategy committee at level of board of directors (IT) audit committee at level of board of directors
CIO on executive committeeIT security steering committee
Corporate internal communication addressing IT on a regular basis
Informal meetings betw een business and IT executive/senior managementIT budget control and reporting
IT project steering committeeSecurity / compliance / risk off icer
CIO reporting to CEO and/or COO
0 = not easy to implement,, 5 = very easy to implement
Perceived ease of implementation of EGIT practices
77
4,94,84,7 S64,64,5 S54,4 S44,34,24,1 P3 P8 P9
4 P2 S93,9 R8/R63,8 P1 R5 S1 R73,73,63,5 P53,4 R93,3 P6/P4 S83,2 S12 R4 S33,1 S2 S11
32,9 P10 S72,8 P7 R3 R2 R10 S102,72,62,52,4 P11 R12,32,22,1
21,91,81,71,61,51,41,31,21,1
10,90,80,70,60,50,40,30,20,1
0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 1,0 1,1 1,2 1,3 1,4 1,5 1,6 1,7 1,8 1,9 2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7 2,8 2,9 3,0 3,1 3,2 3,3 3,4 3,5 3,6 3,7 3,8 3,9 4,0 4,1 4,2 4,3 4,4 4,5 4,6 4,7 4
Ease of implementation
Effe
ctiv
enes
s
S1 IT strategy committee at level of board of directors S2 IT expertise at level of board of directorsS3 (IT) audit committee at level of board of directorsS4 CIO on executive committee
S5CIO (Chief Information Officer) reporting to CEO (Chief Executive Officer) and/or COO (Chief Operational Officer)
S6IT steering committee (IT investment evaluation / prioritisation at executive / senior management level)
S7 IT governance function / officerS8 Security / compliance / risk officerS9 IT project steering committeeS10 IT security steering committeeS11 Architecture steering committeeS12 Integration of governance/alignment tasks in roles&responsibilitiesP1 Strategic information systems planningP2 IT performance measurement (e.g. IT balanced scorecard)
P3Portfolio management (incl. business cases, information economics, ROI, payback)
P4Charge back arrangements - total cost of ownership (e.g. activity based costing)
P5 Service level agreementsP6 IT governance framework COBITP7 IT governance assurance and self-assessmentP8 Project governance / management methodologiesP9 IT budget control and reportingP10 Benefits management and reportingP11 COSO / ERMR1 Job-rotationR2 Co-locationR3 Cross-trainingR4 Knowledge management (on IT governance)R5 Business/IT account managementR6 Executive / senior management giving the good example
R7Informal meetings between business and IT executive/senior management
R8 IT leadershipR9 Corporate internal communication addressing IT on a regular basisR10 IT governance awareness campaigns
Key minimum baseline IT governance practices
IT governance practices that are highly effective and easy to implement
IT governance practices that are highly effective but difficult to implement
IT governance practices whose value is
challenged
Hig
hLo
w
Difficult to implement Easy to implement
•IT steering committee •IT project steering committee•Having the CIO reporting to the CEO•Project management methodologies•Portfolio management• IT budget control and reporting•IT leadership
78
Assignment
EGIT practices in a case organisation
79
Rationale
IT strategy committee at level of board of directors 0 1 2 3 4 5IT expertise at level of board of directors 0 1 2 3 4 5(IT) audit committee at level of board of directors 0 1 2 3 4 5CIO on executive committee 0 1 2 3 4 5CIO reporting to CEO and/or COO 0 1 2 3 4 5IT steering committee (IT investment evaluation / prioritisation at executive / senior management level) 0 1 2 3 4 5IT governance function / officer 0 1 2 3 4 5Security / compliance / risk officer 0 1 2 3 4 5IT project steering committee 0 1 2 3 4 5IT security steering committee 0 1 2 3 4 5Architecture steering committee 0 1 2 3 4 5Integration of governance/alignment tasks in roles&responsibilit ies 0 1 2 3 4 5Strategic information systems planning 0 1 2 3 4 5IT performance measurement (e.g. IT balanced scorecard) 0 1 2 3 4 5Portfolio management (incl. business cases, information economics, ROI, payback) 0 1 2 3 4 5Charge back arrangements - total cost of ownership (e.g. activity based costing) 0 1 2 3 4 5Service level agreements 0 1 2 3 4 5IT governance framework COBIT 0 1 2 3 4 5IT governance assurance and self-assessment 0 1 2 3 4 5Project governance / management methodologies 0 1 2 3 4 5IT budget control and reporting 0 1 2 3 4 5Benefits management and reporting 0 1 2 3 4 5COSO / ERM 0 1 2 3 4 5Job-rotation 0 1 2 3 4 5Co-location 0 1 2 3 4 5Cross-training 0 1 2 3 4 5Knowledge management (on IT governance) 0 1 2 3 4 5Business/IT account management 0 1 2 3 4 5Executive / senior management giving the good example 0 1 2 3 4 5Informal meetings between business and IT executive/senior management 0 1 2 3 4 5IT leadership 0 1 2 3 4 5Corporate internal communication addressing IT on a regular basis 0 1 2 3 4 5IT governance awareness campaigns 0 1 2 3 4 5Other practicesGeneral remarks
Maturity
Organisation
80
Assignment
0 Non-existent There is a complete lack of any recognisable IT Governance process.
1 Initial/ad hocThe organisation has recognised that IT Governance issues exist and need to be addressed.
2 Repeatable but intuitiveThere is awareness of IT Governance objectives, and practices are developed and applied by individual managers.
3 Defined processThe need to act with respect to IT Governance is understood and accepted. Procedures have been standardised, documented and implemented.
4 Managed and measurableIT Governance evolves into an enterprise-wide process and IT Governance activities are becoming integrated with the enterprise governance process.
5 OptimisedEnterprise governance and IT Governance are strategically linked, leveraging technology and human and financial resources to increase the competitive advantage of the enterprise.
Assess the “As-Is” and “To-Be” EGIT situation in your organisation
81
Agenda
• Enterprise Governance of IT
• Enterprise Governance of IT practices
• Enterprise Governance of IT as enabler for business / IT alignment
• Enterprise Governance of IT as enabler for business value
82
Business/IT Alignment
• Research concerning difficulties experienced by organisationswhile aligning business and IT.
- Expression barriers (lack of direction in business strategy)- Specification barriers (lack of IT involvement in strategy
development)- Implementation barriers (difficult integration of legacy
systems)
83
Business/IT Alignment
• Henderson and Venkatraman (SAM model)
Business Business StrategyStrategy
IS infrastructure and IS infrastructure and processesprocesses
Business Strategy IT Strategy
Organizational Infrastructure and
processesIS infrastructure and processes
Exte
rnal
Inte
rnal
Strategic fit
Business Information Technology
Business Business StrategyStrategy
IS infrastructure and IS infrastructure and processesprocesses
Business Strategy IT Strategy
Organizational Infrastructure and
processesIS infrastructure and processes
Exte
rnal
Inte
rnal
Strategic fit
Business Information Technology
Functional Integration
84
Strategic Alignment (Henderson and Venkatraman, 1993)
Businessstrategy
ITstrategy
Operationalinfrastructureand processes
ITinfrastructureand processes
External
Internal
Stra
tegi
c fit
Functional integration
Business Information Technology
85
Strategic Alignment model
Business strategy as the driver: strategy execution alignment perspectiveBusiness strategy is articulated and is the driverof both organizational and IT infrastructure design
Businessstrategy
ITstrategy
Operationalinfrastructureand processes
ITinfrastructureand processes
External
Internal
Stra
tegi
c fit
Functional integration
Business Information Technology
86
Business strategy as the driver: technology transformation alignment perspectiveImplementing the chosen business strategy through appropriateIT strategy and required IT infrastructure and processes
Businessstrategy
ITstrategy
Operationalinfrastructureand processes
ITinfrastructureand processes
External
Internal
Stra
tegi
c fit
Functional integration
Business Information Technology
Strategic Alignment model
87
IT strategy as the enabler: service level alignment perspectiveFocuses on how to build a world-class IT service organization
Businessstrategy
ITstrategy
Operationalinfrastructureand processes
ITinfrastructureand processes
External
Internal
Stra
tegi
c fit
Functional integration
Business Information Technology
Strategic Alignment model
88
businessinformation/
communication technology
strategy
structure
operations
Business/IT Alignment
• Maes (extension SAM model)
89
Assignment
Business / IT alignment assessment through business goals / IT goals
90
Assignment: linking business goals to IT goals
91
IT Goals
Develo
ping i
nnov
ative
IT se
rvice
s with
a foc
us on
inform
ation
secu
rity
Fulfillin
g SLA
's with
busin
ess d
epart
ments
Increa
sing I
T depa
rtmen
t effic
iency
Integ
ration
and c
onso
lidati
on of
diffe
rent IT
depa
rtmen
tsIT di
saste
r rec
overy
and b
usine
ss co
ntinu
ity
IT gove
rnanc
e / IT
strat
egic
align
ment
IT mea
sures
to sa
tisfy
Basel
II req
uirem
ents
Loweri
ng co
st of
trans
actio
n proc
essin
g
Making
IT m
easu
rable
Optimizin
g the
IT in
frastr
uctur
e
Rapid
deve
lopmen
t of n
ew IT
servi
ces
Reduc
ing ex
terna
l staf
f
Standa
rdisin
g IT sy
stems
Business GoalsAchieving compliance with Basel II regulations S S PImproving competitiveness through IT P P S PImproving customer orientation and service P S P S S P SPost-merger integration and consolidation P S S S SReducing operational cost P P S S P P P P PReducing transaction cost P S S P P S SRisk management S P S S P P S P SShortening service development lifecycle S S PTailoring solutions for different target groups P S
Linking business goals – IT goals
92
Aligning business goals and IT goals
• UAMS-ITAG/ITGI research:- Previous research
• 20 business goals and 28 IT goals• Across multiple sectors
- This study• Validate business and IT goals• Gain insight in priorities for different sectors• Examine relationship between IT goals and business goals
93
Aligning business goals and IT goals
• Delphi methodology:- Structured process for collecting and distilling knowledge
from a group of experts by means of several research rounds.
• 158 business and IT people
• 5 sectors - Manufacturing and pharmaceuticals, IT professional services,
telecommunications and media, government, utilities and healtcare, and retail and transportation.
94
Aligning business goals and IT goals
95
Aligning business goals and IT goals
1. ALIGN THE IT STRATEGY TO THE BUSINESS STRATEGY
2. MAINTAIN THE SECURITY (CONFIDENTIALITY, INTEGRITY AND AVAILABILITY) OF INFORMATION AND PROCESSING INFRASTRUCTURE
3. MAKE SURE THAT IT SERVICES ARE RELIABLE AND SECURE
4. PROVIDE SERVICE OFFERINGS AND SERVICE LEVELS IN LINE WITH BUSINESS REQUIREMENTS
5. PROVIDE IT COMPLIANCE WITH LAWS AND REGULATIONS
6. TRANSLATE BUSINESS FUNCTIONAL AND CONTROL REQUIREMENTS IN EFFECTIVE AND EFFICIENT AUTOMATED SOLUTIONS
7. DELIVER PROJECTS ON TIME AND ON BUDGET MEETING QUALITY STANDARDS
8. DRIVE COMMITMENT AND SUPPORT OF EXECUTIVE MANAGEMENT
9. IMPROVE IT’S COST-EFFICIENCY10. ACCOUNT FOR AND PROTECT ALL IT ASSETS
1. IMPROVE CUSTOMER ORIENTATION AND SERVICE
2. COMPLY WITH EXTERNAL LAWS AND REGULATIONS
3. ESTABLISH SERVICE CONTINUITY AND AVAILABILITY
4. MANAGE (IT RELATED) BUSINESS RISKS5. OFFER COMPETITIVE PRODUCTS AND
SERVICES6. IMPROVE AND MAINTAIN BUSINESS PROCESS
FUNCTIONALITY7. PROVIDE A GOOD RETURN ON INVESTMENT
OF (IT ENABLED) BUSINESS INVESTMENTS8. ACQUIRE, DEVELOP AND MAINTAIN SKILLED
AND MOTIVATED PEOPLE9. CREATE AGILITY IN RESPONDING TO
CHANGING BUSINESS REQUIREMENTS10. OBTAIN RELIABLE AND USEFUL
INFORMATION FOR STRATEGIC DECISION MAKING
TOP 10 PRIORITIZED LIST OF IT GOALSTOP 10 PRIORITIZED LIST OF BUSINESS GOALS
96
IT Goals Busines
s Goals
1. Im
prove
custo
mer ori
entat
ion an
d serv
ice
2. Prov
ide co
mplian
cy w
ith ex
terna
l laws a
nd re
gulat
ions
3. Esta
blish
servi
ce co
ntinu
ity an
d ava
ilabil
ity
4. Man
age (
IT relat
ed) b
usine
ss ris
ks
5. Offe
r com
petiti
ve pr
oduc
ts an
d serv
ices
6. Im
prove
and m
aintai
n bus
iness
proc
ess f
uncti
onali
ty
7. Prov
ide a
good
retur
n on i
nves
tmen
t of (I
T enab
led) b
usine
ss in
vestm
ents
8. Acq
uire,
deve
lop an
d main
tain s
killed
and m
otiva
ted pe
ople
9. Crea
te ag
ility in
resp
ondin
g to c
hang
ing bu
sines
s req
uirem
ents
10. O
btain
reliab
le an
d use
ful in
formati
on fo
r stra
tegic
decis
ion m
aking
11; A
chiev
e cos
t opti
misatio
n of s
ervice
deliv
ery
12. O
ptimise
busin
ess p
roces
s cos
ts
13. E
nable
and M
anag
e bus
iness
chan
ge
14. Im
prove
and m
aintai
n ope
ration
al an
d staf
f prod
uctiv
ity
15. Im
prove
finan
cial tr
ansp
arenc
y
16. P
rovide
compli
ancy
with
inter
nal p
olicie
s
17. Id
entify
, ena
ble an
d man
age p
roduc
t and
busin
1. Align the IT strategy to the business strategy P S S P P P S S P P S S P S S S P2. Maintain the security (confidentiality, integrity and avaliability) of information and processing infrastructure P P P P S S P3. Make sure that IT services are reliable and secure P P P P S S S S S S S S4. Provide service offerings and service levels in line with business requirements P P S P P S S S S S S S S S5. Provide IT compliancy with laws and regulations S P P S S S P6. Translate business functional and control requirements in effective and efficient automated solutions S S S S P S S S S S S S S S7. Deliver projects on time and on budget meeting quality standards S S S S S S S S S S8. Drive commitment and support of executive management S S S S S S S S S S9. Improve IT’s cost-efficiency S P P P S10. Account for and protect all IT assets S S S S S S11. Acquire, develop and maintain IT skills that respond to the IT strategy S S P S S S S S12. Provide IT agility (in responding to changing business needs) S S S S P P S13. Offer transparency and understanding of IT cost, benefits and risks S S S S P14. Optimise the IT infrastructure, resources and capabilities S S P S P S S15. Accomplish proper use of applications, information and technology solutions S S S S S S S S S S S S S16. Seamlessly integrate applications and technology solutions into business processes S S P S S S S S S S S17. Ensure that IT demonstrates continuous improvement and readiness for future change S S S P S P18. Acquire knowledge and expertise in emerging technologies for business innovation and optimisation S S P S S S S P
97
Luftman assessment of business/IT alignment maturity
• Validated instrument• Used in many studies to assess business/IT alignment• 6 attributes
- Communications maturity- Competency/value measurements maturity- Governance maturity- Partnership maturity- Scope & architecture maturity- Skills maturity
98
attribute characteristics level 1 characteristic level 5
•communications maturity• understanding of business by IT minimum pervasive• understanding of IT by business minimum pervasive• inter/intra-organizational learning casual, ad hoc strong and structured• protocol rigidity command and control informal• knowledge sharing ad hoc extra-enterprise• liaison(s) breath/effectiveness none or ad hoc extra-enterprise
• competency/value measurements maturity• IT metrics technical extended to external partners• business metrics ad hoc extended to external partners• balanced metrics ad hoc, unlinked business, partner and IT metrics• service level agreements sporadically present extended to external partners• benchmarking not generally practiced routinely performed with partners• formal assessments/reviews none routinely performed• continuous improvement none routinely performed
• governance maturity• business strategic planning ad hoc integrated across & external• IT strategic planning ad hoc integrated across & external• reporting/organization structure CIO reports to CFO CIO reports to CEO
central/decentral federated• budgetary/control cost center, erratic investment center, profit center• IT investment management cost based, erratic business value• steering committee(s) not formal, regular partnership• prioritization process reactive value added partner
99
attribute characteristics level 1 characteristic level 5•partnership maturity
• business perception of IT value IT perceived as a cost IT co-adapts with business• role of IT in strategic business planning no seat at business table co-adaptive with business• shared goals, risk, rewards/penalties IT takes risk risks and rewards shared• IT program management ad hoc continuous improvement• relationship/trust style conflict/minimum valued partnership• business sponsor/champion none at the CEO level
• scope & architecture maturity• traditional, enabler/driver traditional systems business strategy driver/enabler• standards articulation none or ad hoc inter-enterprise standards• architectural integration: no formal integration evolve with partners
• functional organization integrated• enterprise standard enterprise architecture• inter-enterprise with all partners
• architectural transparency, flexibility none across the infrastructure
• skills maturity• innovation, entrepreneurship discouraged the norm• locus of power in the business all executives, including CIO • management style command and control relationship based• change readiness resistant to change high, focused• career crossover none across the enterprise• education, cross-training none across the enterprise• attract & retain best talent no program effective program for
100
Example questions(partnership maturity)
IT is perceived by the business as: 1 A cost of doing business2 Emerging as an asset3 A fundamental enabler of future business activity4 A fundamental driver of future business activity5 A partner for the business that co-adapts/improvises in bringing value to the firm6 N/A or don’t know
The following statements are about the IT and business relationship and trust.1 There is a sense of conflict and mistrust between IT and the business.2 The association is primarily an “arm’s length” transactional style of relationship.3 IT is emerging as a valued service provider.4 The association is primarily a long-term partnership style of relationship.5 The association is a long-term partnership and valued service provider.6 N/A or don’t know
The following statements are about the cultural locus of power in making IT-based decisions. Our important IT decisions are made by:1 Top business management or IT management at the corporate level only2 Top business or IT management at corporate level with emerging functional unit level
influence3 Top business management at corporate and functional unit levels, with
emerging shared influence from IT management4 Top management (business and IT) across the organization and emerging
influence from our business partners/alliances.5 Top management across the organization with equal influence from our
business partners/alliances.6 N/A or don’t know
101
Business / IT alignment international benchmark
0
0,5
1
1,5
2
2,5
3
3,5
4
4,5
5
Retail
trans
porta
tion
Hotel/e
nterta
inmen
tServ
ices
Insura
nce
Manufac
turing
Health
Chemica
lFina
ncial
Govern
ment
Oil/Gas
/Mining
Utilities
Pharm
aceuti
cal
Educa
tiona
lOve
rall A
verag
e
Alignment
102
Business / IT alignment Belgian benchmark
• Result of alignment benchmark research• 10 Belgian financial enterprises:
Organisation
Number of employees in Belgium Main activities
A More than 1000 Banking and InsuranceB Between 100 and 1000 Banking and InsuranceC More than 1000 BankingD More than 1000 BankingE More than 1000 Banking and InsuranceF More than 1000 Financial transaction servicesG Between 100 and 1000 Banking and InsuranceH Between 100 and 1000 Baking and InsuranceI More than 1000 Banking and InsuranceJ More than 1000 Banking and Insurance
103
G
F<< A B C D E H I J >>
1,0 1,1 1,2 1,3 1,4 1,5 1,6 1,7 1,8 1,9 2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7 2,8 2,9 3,0 3,1 3,2 3,3 3,4 3,5 3,6 3,7 3,8 3,9 4,0
Organisation
Total number of respondents
Number of IT respondents
Number of business
respondents
Average maturity score
by IT
Average maturity score
by business Delta
Total Alignment
maturity ScoreA 9 5 4 2,06 2,14 -0,07 2,10 -0,59 -22%
B 5 3 2 2,27 2,00 0,27 2,16 -0,52 -19%
C 9 3 6 2,59 2,55 0,05 2,56 -0,12 -5%
D 6 3 3 2,98 2,35 0,64 2,67 -0,02 -1%
E 9 5 4 2,69 2,74 -0,05 2,71 0,03 1%
F 8 3 5 3,15 2,46 0,69 2,72 0,04 1%
G 10 5 5 2,75 2,73 0,03 2,74 0,06 2%
H 9 6 2 2,89 2,95 -0,06 2,91 0,22 8%
I 8 5 4 3,23 2,97 0,26 3,11 0,43 16%
J 11 6 5 3,09 3,26 -0,17 3,17 0,48 18%
Total Total Total Average84 44 40 2,69
Deviation from average
Business / IT alignment Belgian benchmark
104
The relationship between EGIT practices and business / IT alignment
• Research on extreme cases • Interviews/workshops to
define maturity of 33 governance practices
CIOHead Accounting
J
Head IT GovernanceHead IT DevelopmentHead Project Management Office
I
CEOChange Manager
B
Adjunt-director Organization DepartmentService delivery managerDirector Organization Department
A
IntervieweesOrganization
105
0 Non-existent There is a complete lack of any recognisable IT Governance process.
1 Initial/ad hocThe organisation has recognised that IT Governance issues exist and need to be addressed.
2 Repeatable but intuitiveThere is awareness of IT Governance objectives, and practices are developed and applied by individual managers.
3 Defined processThe need to act with respect to IT Governance is understood and accepted. Procedures have been standardised, documented and implemented.
4 Managed and measurableIT Governance evolves into an enterprise-wide process and IT Governance activities are becoming integrated with the enterprise governance process.
5 OptimisedEnterprise governance and IT Governance are strategically linked, leveraging technology and human and financial resources to increase the competitive advantage of the enterprise.
Defining maturity of 33 EGIT practices
106
A B I JS1 0 0 0 0S2 4 1 0 1S3 3 3 3 3S4 2 5 2 0S5 2 5 4 5S6 2 2 4 4S7 2 0 4 4S8 2 3 4 5S9 2 2 4 4S10 0 0 0 4S11 0 0 1 3S12 2 1 2 5P1 1 2 1 4P2 1 2 4 4P3 1 2 4 4P4 0 0 2 5
P5 0 0 2 4P6 0 0 1 4P7 1 0 1 1P8 2 3 3 4P9 1 2 4 5P10 0 1 1 3P11 0 0 0 0R1 1 0 1 2R2 5 2 3 3R3 2 0 2 1R4 3 3 4 4R5 2 0 0 4R6 2 2 5 5R7 2 0 0 0R8 1 4 4 4R9 2 0 2 3R10 1 1 1 1
1,48 1,39 2,21 3,12
107
The relationship between EGIT and business/IT alignment
0,000,501,001,502,002,503,003,504,00
Structures Processes Relationalmechanisms
JIBA
G
F<< A B C D E H I J >>1,8 1,9 2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7 2,8 2,9 3,0 3,1 3,2 3,3 3,4 3,5 3,6
Business/IT alignment maturity
Maturity of IT governance
practices
108
The relationship between EGIT and business / IT alignment
• Maturity averages• Clear gap between A-B and I-J
00,5
11,5
22,5
33,5
A B I J
109
0
1
2
3
4
5
6
S1 S4 S5 S6 S9 P1 P3 P8 P9 R8
JA
Extreme cases analysisEGIT practices versus
business / IT alignment
00,5
11,5
22,5
33,5
A B I J
Average IT goverancepractices maturity
0
1
2
3
4
5
6S
1 S2
S3
S4
S5
S6 S7
S8 S9 S10
S11
S12
P1
P2 P3
P4
P5
P6
P7
P8 P9 P10 P11
R1
R2
R3
R4
R5
R6
R7
R8
R9
R10
J
A
0,000,501,001,502,002,503,003,504,00
Structures Processes Relationalmechanisms
JIBA
110
Agenda
• Enterprise Governance of IT
• Enterprise Governance of IT practices
• Enterprise Governance of IT as enabler for business / IT alignment
• Enterprise Governance of IT as enabler for business value
111
From enterprise governance of IT to business value
Enterprise governance of IT
Business / IT alignment
Business value from IT investments
enables enables
112
Business/IT alignment and Business Value from IT
• Why is alignment important to anorganization’s success?- Research from Chan and
Bergeron: impact of alignment on business performance is higher than impact of business strategy or IT strategy
- Productivity paradox (Brynjolfson)
113
What is the relationship between organizational performance and IT governance practices based on COBIT 4.1 and Val IT
2.0?
Research scope and model
• Research model and metrics use the available concepts from COBIT and Val IT.
• Three research constructs- COBIT and Val IT processes
measured by the implementation status of 34 COBIT processes and 22 Val IT processes
- Technical, operational and business capabilitiesmeasured by the achievement status of 18 IT goals
- Business Outcomemeasured by the achievement status of 17 business goals and 3 Val IT goals
114
Questionnaire - Sample question
115
Reserach Model
COBIT and Val IT Processes
IT Goals
Business Goals
Business OutcomeMeasured by
Business Goals achievement status
Bu
sin
ess
/IT
Alig
nm
en
t
Technical Capabilitymeasured by
IT Goals achievement status
IT related Business capabilitymeasured by
IT goals achievement status
Operational Capabilitymeasured by
IT Goals achievement status
IT and Business Governance Practices
COBIT Processes measured by
Processes implementation status
Val IT processesmeasured by
Processes implementation status
116
Research questions
• RQ1: Does the implementation of COBIT processes and Val IT processes have an impact on the achievement of IT goal capabilities (technical, operational and business capabilities)?
• RQ2: Which subset of COBIT and Val IT processes impacts the capabilities the most?
• RQ3: Do the IT goal capabilities have an impact on the achievement of business outcome (business goals)?
• RQ4: Which IT goal capabilities impact business outcome most?
• RQ5: Ultimately, does a cascaded relationship exists between the COBIT/Val IT governance practices, the intermediate capabilities (IT goals), and the business outcome (business goals)? .
117
Research questions
• RQ6: what is the implementation status of COBIT and Val IT processes, spread over different sectors, company sizes and regions
• RQ7: what is the degree of achievement for IT goals and business goals, spread over different sectors, sizes and regions
• RQ8: Are the detailed business goals – IT goals – IT processes matrices as published in COBIT 4.1 confirmed?
118
Key findings
• The research model cascade is validated:1. A strong correlation between the implementation of COBIT and
VALIT and the achievement of IT goals2. A strong correlation between the achievement of IT goals and
the achievement of business goals• Operational oriented processes are better implemented than
planning, monitoring and value related processes. • Implementation status of the COBIT and Val IT frameworks is
typically higher in - Larger organisations- Organisations from the Financial, Manufacturing and Retail
sector - European and North American organisations.
• Knowing-Doing Gap: Organisations are aware of the importance of IT goals such as ‘Align the IT strategy to the business strategy’ but in practice do not manage to achieve them in a proper way.
• New empirically researched data is available to further develop the IT governance body of knowledge and its related frameworks COBIT and Val IT
119
The validated research cascade model
COBIT and Val IT Processes
IT Goals
Business GoalsBusiness Outcome
Measured byBusiness Goals achievement status
Technical Capabilitymeasured by
IT Goals achievement status
IT related Business capabilitymeasured by
IT goals achievement status
Operational Capabilitymeasured by
IT Goals achievement status
IT and Business Governance Practices
COBIT Processes measured by
Processes implementation status
Val IT processesmeasured by
Processes implementation status
1
2
120
Implementation status IT processes
• Operational oriented processes (AI and DS) are better implemented than planning (PO) monitoring (ME) processes.
• COBIT processes are better implemented than Val IT processes
2,502,602,702,802,903,003,103,203,303,403,50
COBITPO
COBITAI
COBITDS
COBITME
COBITTotal
Val ITVG
Val ITPM
Val IT IM
VAL ITTotal
121
Knowing-doing gap
• Comparing achievement results (this study) and importance results (previous study)
• Differences confirm knowing-doing gap- IT goal ‘Align the IT strategy to the business strategy’ was
ranked as the most important goal (rank 1) in previous research but only ranked 7th regarding actual achievement status
- IT goal ‘provide IT compliance with laws and regulations’ was ranked on the 5th place in terms of importance, but received the highest rank for achievement status
122
Summary - High impact implemented processes / achieved
IT goals relation
• 7 high impact COBIT processes• 5 high impact Val IT processes• 4 high impacted IT Goals
High impact COBIT processes- Define a Strategic IT plan (PO1)- Manage the IT investment (PO5)- Communicate Management Aims and Direction (PO6)- Assess and manage IT risks (PO9)- Identify Automated Solutions (AI1)- Acquire and Maintain Application Software (AI2)- Acquire and Maintain Technology Infrastructure (AI3)
High impacted IT Goals- Align the IT strategy to the business strategy (IT_Corp6)- Provide service offerings and service levels in line with business requirements (IT_User1)- Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1)- Ensure that IT demonstrates continuous improvement and readiness for future change (IT_Fut3)
High impact Val IT processes- Define and Implement Processes (VG2)- Establish Effective Governance Monitoring (VG5)- Continuously Improve Value Management Practices (VG6)- Establish Strategic Direction and Target Investment Mix (PM1)- Update Operational IT Portfolios (IM7)
123
Summary - High impact achieved IT goals / achieved
Business Goals relation
• 8 high impact IT Goals• 6 high impacted Business Goals
High impact IT Goals- Improve IT’s cost-efficiency (IT_Corp5)- Align the IT strategy to the business strategy (IT_Corp6)- Translate business functional and control requirements in effective and efficient automated solutions (IT_User3)- Accomplish proper use of applications, information and technology solutions (IT_User4)- Provide IT agility (in responding to changing business needs) (IT_Oper4)- Seamlessly integrate applications and technology solutions into business processes (IT_Oper5)- Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1)- Ensure that IT demonstrates continuous improvement and readiness for future change (IT_Fut3)
Highly impacted Business Goals–-Achieve cost optimisation of service delivery (B_Cust4)–-Obtain reliable and useful information for strategic decision making (B_Cust6)–-Improve and maintain business process functionality (B_Int1)–-Improve and maintain operational and staff productivity (B_Int2)–-Enable and Manage business change (B_Int3)–-Optimise business process costs (B_Int5)
124
Input COBIT 4.1 developmentMapping COBIT 4.1 / correlation matrix business goals – IT Goals
125
Input COBIT 4.1 developmentMapping COBIT 4.1 / correlation
matrix IT goals – COBIT processes
126
• Questions and discussion
• More information
- IT Governance and Alignment Research Institute• www.uams.be/ITAG
- Email• [email protected]• [email protected]
- Books• Van Grembergen W., De Haes S., Implementing
Information Technology Governance: models, practices and cases, 255p., IGI Publishing, 2008
• Van Grembergen W., De Haes S., Enterprise Governance of IT: achieving strategic alignment and value, 360p., Springer, 2009
- International Journal on IT/Business Alignment and Governance (IJITBAG)
• www.igi-global.com/IJITBAG