S T A R TS T A R T

IT GOVERNANCE& MANAGEMENT

TOOLS & TECHNIQUES FOR

RICHARD WILLIS

BACKGROUNDINFORMATION

I T G OV E R N A N C E & M A N AG E M E N T

• Examples of well-known IT failures– Virgin Blue– National Australia Bank– Commonwealth Bank of Australia

• Necessity for a comprehensive IT governance model

• Common frameworks and standards for IT operations– ITIL– COBIT– ISO/IEC 38500:2008– ISO/IEC 27001– CMMI– Balanced Scorecard– Six Sigma

BACKGROUNDINFORMATION

CORPORATEGOVERNANCE

I T G OV E R N A N C E & M A N AG E M E N T

CORPORATEGOVERNANCE

• UTS Centre for Corporate Governance:“Corporate governance is the system by which business corporations are directed and controlled.”

• Corporate management vs. governance

Adapted from Tricker (2009)

INFORMATIONTECHNOLOGYGOVERNANCE

I T G OV E R N A N C E & M A N AG E M E N T

INFORMATION TECHNOLOGYGOVERNANCE

• IT Governance Institute definition:“IT Governance is the responsibility of the Board of Directors and the Executive Management”

• Key IT Governance Functions– IT governance is about “who is entitled to make major decisions”– IT governance is about “who has input”– IT governance is about: “who is accountable for implementing those

decisions”– IT governance is different from IT management

I T G OV E R N A N C E & M A N AG E M E N T

INFORMATION TECHNOLOGYGOVERNANCE

I T G OV E R N A N C E & M A N AG E M E N T

INFORMATION TECHNOLOGYGOVERNANCE

Source: Henderson and Venkatraman (1993)

IT GOVERNANCEVS.

IT MANAGEMENT

I T G OV E R N A N C E & M A N AG E M E N T

IT GOVERNANCE VS.IT MANAGEMENT

• IT governance– Primarily concerned with facilitating (strategic) decision making– Organisation specific and cannot be delegated to the market

• IT service management– More focused on the operational excellence of the IT function – Focused on the effective and efficient internal supply of IT services and

products– Focused on the management of present IT operations– Elements can be commissioned to an external provider

I T G OV E R N A N C E & M A N AG E M E N T

IT GOVERNANCE VS.IT MANAGEMENT

BusinessOrientation

Time Orientation

External

Internal

Present Future

IT Management

IT Governance

IT GOVERNANCE &

CORPORATE GOVERNANCE

I T G OV E R N A N C E & M A N AG E M E N T

IT GOVERNANCE &CORPORATE GOVERNANCE

• IT departments as strategic partners:– No longer just an expense– A tool for increasing business

• IT departments…– First emerged in 1993– Deal primarily with the relationship between strategic objectives and IT

management

I T G OV E R N A N C E & M A N AG E M E N T

IT GOVERNANCE &CORPORATE GOVERNANCE

Corporate/Business Unit Governance

Director Protection

Board EvaluationDirector RemunerationDirector Development

Director Selection & Induction

Strategy CEOMonitoringRisk ManagementCompliancePolicy FrameworkNetworkingStakeholder CommunicationDecision Making

Board Structure

Role of the BoardRole of Individual Directors

Role of the Chair

Role of the Company Secretary

Role of the CEO

Board Meetings

Board Meeting AgendaBoard Papers

Board Minutes

The Board CalendarCommittees

DefiningGovernance Roles

EffectiveGovernance

Improving BoardProcesses

Key BoardFunctions

®

Human Resource Governance

Roles Functions

• Board• Directors• CEO• CFO• CHRO• Project Manager• HR Staff

• Strategy• Risk

Management and Compliance

• Value Delivery• Monitoring and

Reporting• Stakeholder

Communication• Decision Making

OperationsGovernance

Roles Functions

• Board• Directors• CEO• CFO• COO• Project Manager• Operations Staff

• Strategy• Risk

Management and Compliance

• Value Delivery• Monitoring and

Reporting• Stakeholder

Communication• Decision Making

IT Governance

Roles Functions

• Board• Directors• CEO• CFO• CIO• Project Manager• IT Staff

• Strategy• Risk

Management and Compliance

• Value Delivery• Monitoring and

Reporting• Stakeholder

Communication• Decision Making

Financial Governance

Roles Functions

• Board• Directors• CEO• CFO• Project Manager• Finance Staff

• Strategy• Risk

Management and Compliance

• Value Delivery• Monitoring and

Reporting• Stakeholder

Communication• Decision Making

1

Source: Effective Governance Pty Ltd (2010)

WHY ADOPT ITGOVERNANCE?

I T G OV E R N A N C E & M A N AG E M E N T

WHY ADOPT ITGOVERNANCE?

• IT Governance increases profit margins, raises market capitalisation, enhances shareholder returns.– Companies with above average IT Governance are 20% more profitable– Investors pay 14%-22% more for well-run, well-governed– Top-rated Corporate Governance companies return more than triple to

investors

• Problems with IT Governance– Often confused with good management practices and IT control frameworks– More important to be focused on value and performance than on risk and

compliance

I T G OV E R N A N C E & M A N AG E M E N T

WHY ADOPT ITGOVERNANCE

• Tools to guide the governance of IT functions– ISO/IEC 38500:2008– COBIT– ITIL– ISO/IEC 27001– CMMI– TickIT– Balanced Scorecard– Six Sigma– TOGAF

COBITCONTROL OBJECTIVES FOR INFORMATION

AND RELATED TECHNOLOGIES

I T G OV E R N A N C E & M A N AG E M E N T

COBITC O N T R O L O B J E C T I V E S F O R I N F O R M A T I O N A N D R E L A T E D T E C H N O L O G I E S

• A set of best practices (framework) for IT management

• Created in 1996 by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)

• Provides a high-level, comprehensive IT governance and control framework

• COBIT consists of three main parts: – Control framework– Management guideline – Implementation toolset

• COBIT awareness exceeds 50%; adoption and use is around 30%

ISO/IEC 38500:2008

CORPORATE GOVERNANCE OF INFORMATION TECHNOLOGY

I T G OV E R N A N C E & M A N AG E M E N T

ISO/IEC 38500:2008 C O R P O R A T E G O V E R N A N C E O F I N F O R M A T I O N T E C H N O L O G Y

• The ISO/IEC 38500:2008 standard provides a framework, vocabulary and six principles for good ICT governance – Responsibility - establish clearly understood responsibilities for ICT

management

– Strategy - plan ICT to best support the organisation’s strategy;

– Acquisition - acquire ICT for valid reasons

– Performance - ensure that ICT performs well, whenever required

– Conformance - ensure ICT conforms with legislation and policies

– Human behaviour - ensure ICT respects human factors

I T G OV E R N A N C E & M A N AG E M E N T

ISO/IEC 38500:2008 C O R P O R A T E G O V E R N A N C E O F I N F O R M A T I O N T E C H N O L O G Y

• Directors should govern IT through three main tasks– Evaluate the current and future use of IT;– Direct preparation and implementation of plans and policies – Monitor conformance to policies, and performance against the plans

I T G OV E R N A N C E & M A N AG E M E N T

ISO/IEC 38500:2008 C O R P O R A T E G O V E R N A N C E O F I N F O R M A T I O N T E C H N O L O G Y

Model for Corporate Governance of IT

Six Sigma can be applied

ISO/IEC 38500:2008

ITILINFORMATION TECHNOLOGY

INFRASTRUCTURELIBRARY

I T G OV E R N A N C E & M A N AG E M E N T

ITILI N F O R M A T I O N T E C H N O L O G Y I N F R A S T R U C T U R E L I B R A R Y

• A public framework that describes Best Practice in IT service management

• Most widely accepted approach to IT service management in the world

• Key improvement to ITIL V3: Addition of the Continual Service Improvement (CSI) Process

I T G OV E R N A N C E & M A N AG E M E N T

ITILI N F O R M A T I O N T E C H N O L O G Y I N F R A S T R U C T U R E L I B R A R Y

• The 5 processes– Continual Service Improvement (CSI)– Service Strategy– Service Design– Service Transition– Service Operation

• Continual Service Improvement (CSI): 3 key processes for effective implementation of continual improvement– The 7-Step Improvement Process– Service Measurement– Service Reporting

I T G OV E R N A N C E & M A N AG E M E N T

ITILI N F O R M A T I O N T E C H N O L O G Y I N F R A S T R U C T U R E L I B R A R Y

• The 7 Steps– Step 1 - Define what you should measure – Step 2 - Define what you can measure – Step 3 - Gather the data – Step 4 - Process the data – Step 5 - Analyse the data– Step 6 - Present and use the Information– Step 7- Implement corrective action

IT GOVERNANCEMATURITY

I T G OV E R N A N C E & M A N AG E M E N T

IT GOVERNANCEMATURITY

• With formal processes and structures – such as an IT strategy and steering groups – the organisation can better: – align IT strategy with the business strategy

– transform high level strategic goals into actual IT projects

– establish procedures for prioritising IT projects that are understood and supported by all senior managers

I T G OV E R N A N C E & M A N AG E M E N T

IT GOVERNANCEMATURITY

IT Governance Maturity LevelsSource: Control Objectives for Information and related Technology (COBIT)

GOVERNANCE &MANAGEMENT TOOLS

I T G OV E R N A N C E & M A N AG E M E N T

GOVERNANCE &MANAGEMENT TOOLS

• Many tools can be used separately and together

• Some tools are more suited to governance, some more to management

• Requirement is to develop a framework that integrates both IT governance and management into the wider business

CONCLUSIONS

I T G OV E R N A N C E & M A N AG E M E N T

CONCLUSIONS

• IT is now a regular agenda item for corporate boards

• IT governance is a component of corporate governance

• Major difference between IT management and governance:– IT management is internally and present time focused,

– IT governance is externally focused and future orientated

I T G OV E R N A N C E & M A N AG E M E N T

CONCLUSIONS

• Implications: IT is no longer just a tool, it is an organisation’s life blood

• Limitations: BSC tends to be broad brush tool for strategy, whereas a surgical tool is needed for IT governance

• Future directions– Develop an IT Governance Maturity Model (ITMM) based on the

standard 5 steps of CMMI– ITMM would allow the classification of the management tools to

determine its position on the life cycle of IT governance– Evaluate ITMM across various industry types, sizes and locations to

allow organisations to determine their relative maturity when benchmarked against similar entities

S T A R TE N D O F S H O W