PROFILING YOUR ORGANIZATION’S - Pink Elephant · • Conditions – the current-state effects and...

PINK ELEPHANT

THOUGHT LEADERSHIP WHITE PAPER

PROFILING YOUR ORGANIZATION’S

GOVERNANCE OF ENTERPRISE IT

Authors:

Rob England, The IT Skeptic

Malcolm Ryder, Principal, Archestra Research

Jack Probst, Principal Consultant, Pink Elephant

2

If the world can’t agree on exactly what Governance Of Enterprise IT (GEIT) is, perhaps it is

easier to talk about what governance is not. In this paper we present a profiling model for GEIT

which presents a maturity model. The model starts with the null hypothesis: What does an

organization look like with no governance of IT at all? The Answer: Oblivious. Then it moves up

through two dysfunctional levels – Irresponsible and Lucky – to finally reach a definition of

good GEIT: Trusted.

In the first white paper in this series we explored the idea that Governance Of Enterprise IT Is Missing

In Action. As that paper said:

The great majority of IT organizations today operate within a politically entrenched, silo-based

model where GEIT is a myth and enterprise IT strategies are non-existent.

The term Enterprise IT refers to all groups which manage information technology assets and

data. The scope of GEIT is the governance of the IT resource and is not limited to what may be

considered the IT Function. The IT resource typically includes multiple stakeholder groups,

spanning both internal and external suppliers, across the end-to-end enterprise. There is often

simply no agreement or vision to govern these often interdependent technology assets under

one agreed-upon approach.

The challenge faced today is that many senior IT leaders consider the current fragmented

approach to IT value stream governance and management to be normal, and even positive.

Very few have questioned the cause and effect of silo-based governance and have yet to

acknowledge the cause and effect of this status quo.

There are multiple views of what GEIT means. The second white paper in this series presented

Governance Of Enterprise IT – A Model. That paper illustrated:

The discussion of governance begins with an understanding of what the term means. It was the

collective experience of the PTT panelists that if 10 IT managers were asked to define

governance, 10, 12 or more definitions would be proffered. The confusion seems to spring from

the fact that there isn’t one agreed industry recognized definition for governance.

In fact the definition is further clouded in that the term IT Governance has been applied to Risk, Audit,

Security and Compliance Management activities. So much so, it is the opinion of the Pink Think Tank

(PTT) that the term governance has been claimed by these practices and perhaps is no longer

appropriate in the context of establishing strategic oversight. The second white paper goes on to offer

governance models developed as an outcome of the PTT to help bring clarity to the term.

www.pinkelephant.com

Executive Summary



http://www.pinkelephant.com/ressource/pinklink/na/issue171-CA/Governance-Of-Enterprise-IT.pdf




http://www.pinkelephant.com/ressource/pinklink/na/issue172-US/Governance Of Enterprise IT -- A Model PTT 2015.pdf




https://www.facebook.com/#!/PinkElephantInc

http://www.linkedin.com/company/165474?trk=tyah&trkInfo=tas:pink el

https://twitter.com/theitilexperts/

3

In this paper we present a profiling tool for GEIT which produces a maturity model. If we can’t agree on

exactly what GEIT is, perhaps it is easier to talk about what it is not. What does it look like when

governance is not there? The model starts with the null hypothesis: What does it look like with no

governance of IT at all? Then it moves up through two dysfunctional levels – Irresponsible and Lucky –

to finally reach a definition of good GEIT.

The profiling model is intended as a learning tool, to increase understanding of the various aspects and

attributes of governance. The model’s levels will provide organizational insight when planning

improvement of GEIT practices, etc., however, the model is not intended as a scientific, rigorous or

calibrated instrument for assessment of an organization.


The profiling model is

intended as a learning

tool, to increase

understanding of the

various aspects and

attributes of

governance.






4 www.pinkelephant.com

Table Of Contents

1 INTENTIONALLY COMPETENT ....................................................................... 5

2 MATURITY MODEL ....................................................................................... 6

3 FOUR FACTORS OF GOVERNANCE ............................................................... 7

4 PROFILING TOOL....................................................................................... 8






5

1) INTENTIONALLY COMPETENT

Putting governance into identifiable practice requires two broad characteristics: competency and

intentionality.

• Competency – the capability, authority, knowledge and skill of an organization and

organizational bodies to effectively institute and direct, on an ongoing basis, the framework

necessary for organizationally and socially appropriate governance. Competency represents

an organizational ability to execute governance

• Intentionality – an observable attribute of governance activities that reflects the actions,

outcomes, decisions and guidance of an organizations governance framework that results

from either a coordinated prescriptive approach or through well-intentioned but

uncoordinated individual actions. Intentionality represents an explicit goal to govern

The balance of competency and intentionality is an important way to profile an organization.

Intentionality represents having an explicit goal of governing (Culture); competency represents an

actual ability to execute (Capability).

Evaluating these dimensions for an organization provides a mechanism to profile the current state of an

organization’s governance, to establish a desired future state, and to assist in crafting a plan to close

the gap.

We have cross-referenced intentionality (weak to strong) and competency (weak to strong) to identify

four states of governance.


Unintentional Intentional

Competent

Incompetent

Lucky Trusted

Oblivious Irresponsible






6

2) MATURITY MODEL

These states of governance give us a simple maturity model for GEIT:

1. Oblivious (Low Intention/Low Competence).

Governance is poor or absent. A lack of understanding of its importance results in no

perceived need for governance improvement, even though the symptomatic problems are a

constant burden. Being Oblivious is the result of a failure to understand. “We don’t know any

better”.

2. Irresponsible (High Intention/Low competence).

Governance is going through the motions but without tangible benefit to the organization.

Governance is deemed to be organizationally or socially inappropriate or irresponsible. In

some cases the outcomes of governance generate negative consequences that could be

considered criminal or socially unacceptable in nature. This is a failure of ethics or

alignment. “We don’t believe or care”.

3. Lucky (Low Intention/High Competence).

Governance is a loose paradigm for the organization without strong practices or processes.

Governance is not a priority because the outcomes (so far) are generally favorable but “we

aren’t sure why”. A poor understanding of risk leads to complacency. This is a failure of

discipline or maturity. “We don’t think or worry because we haven’t been hurt yet”.

4. Trusted (High Intention/High Competence).

Governance is trusted by the organization to provide the necessary direction, guidance and

controls to affect and manage the risks facing the organization and behaviors influencing

risk realization. “We know what to do, how to do it and the reasons we are doing it”.







7

3) FOUR FACTORS OF GOVERNANCE

In order to profile against this maturity model, we need to look at the levels of competency and

intentionality. In the PTT we developed four general factors that account for the strength and impact of

the competency and intentionality:

• Practice – the collection of actions and decisions that are purposefully undertaken, having

an effect on the alignment of resource use to stakeholder value

• Expertise – the type and degree of awareness and capability that is applied by parties

running the business, regarding the ability and opportunity to govern

• Conditions – the current-state effects and outcomes of conducting the business, relevant to

the perspective of governance

• Culture – the behavior norms and belief norms of the environment in which business

conduct is generated

These four factors are generally coupled to each other, for example:

• It is expected that Culture may precondition Expertise as well as be shaped by it

• Conditions are the likely typical effects of current Practices, but they may be inhibitors as

well as effects

• Practices should develop and improve with the support of improving Expertise, but

Practices may also prescribe what kind of Expertise is pursued

Competency and intentionality are each quite variable. If we see them as indicators of success in

governance, then we can use them to profile whether an organization has a sustained behavior that

can be expected to support alignment to stakeholder business needs.

Each of the four maturity states – Oblivious, Irresponsible, Lucky, and Trusted – include characteristics

of Practice, Expertise, Conditions and Culture that meaningfully distinguish an organization’s

governance behavior from that of other entities.







8

4) PROFILING TOOL

Evaluating the dimensions of Competency and Intentionality is subject to a degree of imprecision and

subjectivity. To provide context to the dimensions we developed a matrix of the four factors that profile

an organization’s governance framework.

Use the following tables to profile your organization. As we stated at the outset, this is not intended to

be a rigorous maturity assessment. It paints a picture for you to help in deciding how much governance

improvement is needed, how urgently, and in what areas.

You may find it interesting and enlightening to check off which of the four maturities best describes your

organization in each row of the tables. The more analytical amongst you will not be able to resist giving

a score instead, and the most enthusiastic amongst you may well assign a weight to each row.

However that level of analysis would be extending this instrument well outside its design parameters: it

is not intended to be that precise a tool, only indicative.

Once you have determined your organizational profile, what then? The next and final white paper in this

series on Governance of Enterprise IT will offer the collected advice of the Pink Think Tank on how to

approach the implementation of IT Governance.

After you have completed your own profile, we would be very interested in your thoughts, comments

and feedback regarding the utility, applicability and contextual nature of the tool. If we get sufficient

feedback on the criteria in this profile, we will publish a revision in future. There is plenty of scope for

more and better descriptors in the profiling tool. So please come to the LinkedIn group and post your

comments at https://www.linkedin.com/grp/home?gid=7473572.




https://www.linkedin.com/grp/home?gid=7473572




9

SCOPE: Context: the asset that is at stake, and its scope




Oblivious Irresponsible Lucky Trusted O I L T

Practice • IT resources and

components are

managed in isolation

from each other

• Always firefighting

• Governance is

focused on managing

the technology asset

without a good

understanding of its

business context

• Unpredictable

responses to same

conditions

• IT Governance is

focused only on the

assets controlled by the

IT Function: it does not

include technology and

information assets

managed by other

business groups

• Governance is based

on technology silos or

domains

• Inconsistent responses

to same conditions

• Resources hoarded

• Post-facto

rationalization: we

justify results after

the fact

• Hate or threatened

by audits

• Cavalier responses

to same conditions

• Well-defined scope – we

know what we are

covering and not

covering:

process/service/technolo

gy

• Governance is

intentional, not reactive

• Strong alignment of

managing IT risk with

business risk

• Defined repeatable

responses to same

conditions

Expertise • Lack of self-

awareness

• Lack of alignment

• No systems

• Limited awareness of

frameworks

• Get better at

firefighting not fixing

• Dismissive of

frameworks

• Governance is

understood in terms of

compliance and risk

• The right tool will fix the

problem. Embed the

rules in the tool

• Over-reliance on past

experience

• Fanatical about a

framework: by the

book

• Always done it that

way

• Gut feelings rule

• Wing it

• Dependencies between

tiers are understood

• Business impact is

understood

• Alignment between IT

strategies and business

strategies is understood

Conditions • Random unexplained

events: things just

happen without

knowing why

• Lots of issues without

knowing why

• Managing aging or

complex infrastructure

• Some services have

been defined but have

not been agreed to

• Results are

inexplicably good –

we don’t know why

• Repeatability not

guaranteed

• Alignment between IT

strategies and business

strategies is good

• Governance is multi-

tiered throughout the

business service

architecture (portfolios of

resources)

Culture • Lack of customer

engagement

• Low morale. Despair,

cynicism

• Passive/aggressive

behavior

• Governance is

subordinate to Finance

• Different rules for

different people, without

justification

• I know better than my

customer

• Believe in governance

until the crisis of the

moment occurs and

then we go back to the

old way

• Value individual effort

over group effort

• Honor heroes,

firefighters

• No sense of need to

comply

• If it ain’t broke don't

fix it

• Cowboys

• The business

understands the

importance of providing

direction for IT and IT

participates

collaboratively in those

decisions

• Professionalism, agility




10

WHY: Optimize return, resources and risk, and ethics





Practice • Don't understand and

manage resource

requirements

• Poor financial planning

and no actuals

• Non-compliance is

seen as an acceptable

risk

• Evasive behavior used

as a strategy versus

accountability

• Controls reward the

company at the

expense of the

customer

• ROI may be required

up front but is not

tracked and reported

• Technology data

repositories focus only

on assets and data

within specific domains

or silos

• Never got the

company in trouble so

far

• I get the job done

• Less controls means

more efficiency

• Good at balancing risk

against return and

resource

• Plan for unforeseen

consequences

• Risk register

• Investment register

Expertise • Don't know what

governance means

• Don't understand and

control risk

• Not aware of what to

comply with

• Don't understand or

meet stakeholders’

needs

• There is little to no

understanding of IT

value streams which

cross departmental

boundaries

• Awareness is used to

avoid scrutiny

• Know just enough to

be dangerous

• Fanatical adherence to

frameworks

• Blind to consequences

and ignoring risks

• My customers know to

come directly to me if

there is a problem

• Capable of mapping

investments to

outcomes and

mission/vision

Conditions • Undetermined actual

value

• Lack of transparency

of cost

• Can’t get funding

• Other sources

“cheaper”

• Working to avoid being

outsourced

• The business is forced

to use IT

• Deniability is a regular,

popular and accepted

practice

• Risks are often

reported but not

consistently managed

• Meeting SLAs

• Complaints are low;

satisfaction OK

• IT is a preferred

supplier

• IT is a trusted partner.

• Transparency of cost

and risk

Culture • Ignorance is deniability

• Every day is a surprise

• Believe the primary

responsibility is

technology

optimization

• Have a false sense of

separation from the

business partner

organizations

• Business believes it

knows best

• I don't have to comply

• I can get away with

stuff and no one will

know

• You have to break a

few eggs to make an

omelet

• I just do my job right or

wrong

• We can change the

rules of the road to

meet the conditions at

the moment

• Arrogance, swagger.

Captain of the Titanic

• We're successful so

why change

• Believe we have

everything under

control

• Decisions and priorities

are based on

organization’s risk

appetite and tolerance

• Stakeholder values drive

decisions

• Belief that we are doing

what's right for the

organization not just for

one function, role or

group




11

HOW: Evaluate-Direct-Monitor Reference Model and feedback loops





Practice • Lack of metrics

• Planning cycle is daily

• Reactive, not proactive

• Majority of time is

spent in reactive,

unplanned firefighting

mode without

considering root cause

• There are multiple

technology asset

repositories with

duplicate data and

information with little to

no synchronization or

data standards to

promote consistency

• Authority and

relationships are used

instead of practice

models

• Metrics only technical

and operational, not

strategic or tactical

• Doing minimum you

can get away with

• E-D-M processes are

formalized, known, and

adhered to

• Uses a benefits

realization statement as

a measuring device to

assess value and

alignment

• Tracks and reports the

value of business

decisions as

improvement feedback

• Well outlined and

managed controls and

feedback mechanisms

Expertise • No reference model

• Don't understand or

know the business

strategy

• Avoid change

• "Spin" is readily and

frequently offered and

accepted as

accountability

• Subvert change

• Don’t understand why

(governance by

compliance)

• Assume everything is

okay unless someone

complains

• Change as a whim

• Respect for, and

selective adoption and

adaptation of multiple

frameworks and models

• Continual evaluation of

internal and external

factors: micro and macro

environment

• Situational awareness

• Managed change

Conditions • No feedback loops

• Inconsistent and

unpredictable direction

• Never seem to get

ahead of the last

challenge. Incidents

are always repeating

• Some governance

monitoring exists but

this does not always

lead into Evaluate and

Direct

• Some directing and

monitoring but no

evaluation

• Fix it when it breaks

• Responds and adapts

well to external factors,

events, conditions,

influences etc.

Culture • No shared vision of

“good"

• Bogged down,

immobile

• Procedures conducted

under idea that the

ends justify the means

• Strong belief that if we

tell the group what to

do they will do it. Very

little if no follow-up

• Lurching, destructive

• Bunker mentality

• CYA

• Only as much

governance as I have

to

• Don't need controls or

policies because

typically not at fault.

• Leaping about,

irrational

• Adopt and adapt

• Decisions are made by

and with key

stakeholders and

decision makers from

both the business and IT

• Agile, consistent,

reliable




12

WHO: Owner, governing bodies, management, operation; accountability and authority





Practice • No governance body

• Urgent trumps

important

• Authority profiles not

defined or understood

• Scope of practices

limited to small group

at top of hierarchy

• Some understanding

of the difference

between Governance

and Management, but

not executed

differently

• Governance at the

technical domain and

operational silo

domain

• Governance by

management fiat

• Governance has a

decidedly financial

focus

• Short planning cycles,

focused on program

and project

management

• Formal governing bodies

appointed by the owners

• People assigned to

govern represent the

stakeholders

• Each governed scope

(e.g. IT) has a

comprehensive

representation amongst

governors

• Governance body

constituency is

determined based on the

focus or scope. Broad

scope (e.g. IT

investments) will engage

multiple business and IT

leadership whereas

limited scope (e.g.

programs) will be limited

to stakeholders

Expertise • IT done by heroes

• Do not understand

expectations

• Working with blinders

on

• Too many bosses

• Every manager has an

opinion that trumps

direction given by

others

• "Following orders"

used to avoid taking

responsibility

• "Need To Know"

mentality discourages

questioning and

assessment

• Governance is

focused on projects;

program portfolio over

service portfolio

• Applications centric;

no systemic view

• Technology Mastery

seen as the primary

skill for business value

enablement

• The charter and roles

and responsibilities are

well-understood

Conditions • Authority does not

match accountability

• Ill-defined roles and

responsibilities

• Job descriptions do

not match reality

• Localized decision

making but more to

enforce management

principles, not making

the right decisions to

support goals and

objectives

• Architecture is run

down, over time

• Technical debt

• Self-appointed

governorship

• Managers have full

authority over the

decisions within the

scope

• All outcomes, benefits

and risks have assigned

owners

Culture • Work is done through

informal networks

• Individual and

personal priorities

dominate

• Squeaky wheel gets

the grease

• No sense of a

collective “we”

• Governance by

dictatorship

• Operations are aimed

at concentrating

benefits instead of

sharing benefits

• Governance is

someone else’s

responsibility/problem

• Operational

sustainability is not

considered

• Builds a culture of

incompetence

• I’m the boss – do as I

say

• Directions and

decisions are very

much technology silo

centric

• Governance extends

across the enterprise




13

WHAT: Policies, Plans, Goals, Controls, Maturity Models, Decision Models, Resources





Practice • Governance

instruments are non-

existent

• Bad or misaligned

goals

• Plans are not

followed

• Each technology

domain is considered

separately as

opposed to a

coherent whole or

system

• Contrived controls

• Policies are used as

suggestions instead of

as priorities

• Compliance is treated

as the goal versus

strategic oversight

• Performance targets

trump policy

enforcement

• Decision Model

changes constantly

• Minimal controls to

meet audit/compliance

requirements

• Decisions made by

individuals with little

collaboration

• Just-in-time controls

• Decisions are based

about variances and

standardizations

• Policies are enforced

• Plans are both predictive

and iterative

Expertise • Low process maturity

• Tribal knowledge and

corporate myth

dominate

• Resources are not

aligned to do the right

work

• Documentation not

valued.

• Process maturity is

based on individual

effort (hero culture)

• Enterprise architecture

disregarded or rejected

• The governance intake

process is clear, formal

and used

• Plans are appropriately

evaluated for alignment

• Proactive planning

Conditions • Artifacts are dead,

derelict, or

inconsistent

• No documented

policies

• Smoke and mirrors • Measures are not

balanced (financial

overemphasis)

• Appropriate levels of

instruments are

employed

• Artifacts are active and

used

• Cascading instruments

at each level of the

organization

Culture • No policy

enforcement or

consequences

• Ready-fire-aim

• Accountability is what

happens when I get

caught

• Belief that tools and

workflow solve issues

• Squeezing costs for

results

• Have good people so

that's enough

• Get stuff done so that's

enough

• Results oriented

• Fit for purpose and fit for

use

• Formal governance is

accepted and expected.

Governance practices,

procedures etc. are

documented and

continuously reviewed

and updated

O I L T

Add them up:




© Pink Elephant Inc., 2015. The contents of this case study are protected by copyright and cannot be reproduced in any manner. Pink Elephant and its logo, PinkVERIFY, PinkSCAN, PinkATLAS, PinkSELECT, and PinkREADY are either trademarks or registered trademarks of Pink Elephant Inc. The contents of this document are protected by copyright and cannot be reproduced in any manner. ITIL® is a registered trade mark of AXELOS Limited.

Pink Elephant,

5575 North Service Road,

Suite 200,

Burlington, Ontario,

Canada L7L 6M1

Tel: 1-888-273-PINK

Fax: 905-331-5070

Worldwide

Locations:

Africa

Asia

Australia

New Zealand

Canada

Europe

Mexico

Middle East

USA

ABOUT PINK ELEPHANT

We Lead The Way!

A premier global training, consulting and conference service provider, Pink Elephant has an

undisputed reputation for leading the way. We’re proud of our pioneering and innovative spirit,

which has enabled us to introduce and spearhead many revolutionary concepts and programs

since our inception forty years ago.

ABOUT THE AUTHORS

Rob England, The IT Skeptic

Rob England is a self-employed IT commentator and consultant. He consults in New Zealand

on IT governance, strategy and processes. Internationally, he is best known for his blog The IT

Skeptic and half a dozen books on IT. He speaks widely at conferences and online.

Malcolm Ryder, Principal, Archestra Research

As Principal of Archestra Research, Malcolm blends over 30 years in management consulting,

IT, marketing and the art world. His approach features findings and advisories based on

recurring direct experiences across those domains, about how we identify, design and build

value.

Jack Probst, Principal Consultant, Pink Elephant

Jack Probst has a diverse management, business and technical background, and he delivers

strategic process consulting and advanced ITIL® training and education programs as a

Principal Consultant for Pink Elephant.

Pink Elephant –

Knowledge Translated Into Results




http://www.pinkelephant.com/

PROFILING YOUR ORGANIZATION’S - Pink Elephant · • Conditions – the current-state effects and...

Documents

Transcript of PROFILING YOUR ORGANIZATION’S - Pink Elephant · • Conditions – the current-state effects and...