IT Governance: Sound Management Practices that Deliver Result IT governance is the decision rights and accountabilities that encourage desirable behaviour in the use of IT. IT governance is embedded in formal structures that allocate rights and responsibilities for decisions in certain IT domains. An IT governance arrangement describes how an enterprise’s decisions related to IT are made and enforced.
35
Embed
IT Governance: Sound Management Practices that Deliver Result
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IT Governance: Sound Management Practices that Deliver ResultIT governance is the decision rights and accountabilities that encourage desirable behaviour in the use of IT. IT governance is embedded in formal structures that allocate rights and responsibilities for decisions in certain IT domains. An IT governance arrangement describes how an enterprise’s decisions related to IT are made and enforced.
Agenda
What "IT Governance" entails IT Mission Considerations
Enablement Risk Management
Why should we care?•By deploying today’s robust IT governance solutions, organizations can enhance existing IT management capabilities to achieve unprecedented efficiencies and improved visibility into the complete organizational state of IT and its relations to all significant underlying business processes.
•With an IT governance solution, the IT organization can enhance control over IT resources and risks so that they can offer the entire enterprise much more than just basic management of networks, systems, applications, data and personnel.
•IT governance solutions deliver a contextual framework for determining how IT infrastructure can be leveraged and optimized to achieve strategic business objectives without significantly increasing administrative costs or risk.
•A robust IT governance solution permits organizations to manage important IT performance impacts on business processes.
Why should we care?
When implemented, an effective IT governance solution should deliver the following key benefits:
Visibility: an IT governance solution enables effective management and visibility of risk across the four pillars of risk:1.Operational2.Compliance3.Technology.4.Strategic
•Flexibility: An IT Governance solution delivers flexibility by supporting required variations in methodology according to requirements across business units, geographies.
•Efficiency: An effective IT governance solution provides efficiency by allowing organizations to synchronize a risk program acrsos the organization, business processes and down into IT services, thus helping to define risk interdependencies and manage risk holistically.
AT Kearney 2004-2005 Technology Innovation Study: 72% of business leaders believe IT enabled their business strategy
but only 30% are “fully aligned” 45% of respondents believe IT is primarily focused on day-to-day
requirements 70% identify technology innovation as critical yet 80% of actual IT
investment is focused on infrastructure and core operation
Projects $600 billion spent on ill conceived or poor executed IT projects –
Gartner 71% of IT projects fail or are challenged – Standish
Operational Processes 80% of availability problems caused by human error – IDC 45% of operating expense budget consumed by unplanned work - ITPI
What is governance?
Corporate Governance Defined
Governance derives from the Latin word “gubernare” relating to the rudder and steering of a ship
"Corporate Governance is concerned with holding the balance between economic and social goals and between individual and communal goals. The corporate governance framework is there to encourage the efficient use of resources and equally to require accountability for the stewardship of those resources. The aim is to align as nearly as possible the interests of individuals, corporations and society." -- Adrian Cadbury in “Global Corporate Governance Forum”, World Bank
“Corporate governance is the set of processes, customs, policies, laws and institutions affecting the way a corporation is directed, administered or controlled. Corporate governance also includes the relationships among the many players involved (the stakeholders) and the goals for which the corporation is governed. The principal players are the shareholders, management and the board of directors. Other stakeholders include employees, suppliers, customers, banks and other lenders, regulators, the environment and the community at large.” – Wikipedia
IT Governance “The overall objective of IT governance, therefore, is to understand the
issues and the strategic importance of IT, so that the enterprise can sustain its operations and implement the strategies required to extend its activities into the future. IT governance aims at ensuring that expectations for IT are met and IT risks are mitigated.” – IT Governance Institute’s “Board Briefing on IT Governance”
It arose from a lack of discussions about IT at the Board and strategy levels Often times IT is only discussed with capital is needed Organizations that had strategic IT discussions at the Board level
outperformed competitors over the past five years – AT Kearney The management of IT should be no different than any other functional area.
In short, IT Governance outside of the Board level is really concerned about sound management and not governance per se
IT Governance: Objectives and Challenges
So, IT Governance: a contextual frameworkha the Goal?
Organizational Goal
Accounting Manufacturing
Sales Customer ServiceHuman Resources
To Maximize Sustainable Profits
Maximize Sustainable
Profits
Accounting Manufacturing
Sales Customer ServicePayroll
Theory of Constraints
Dr. Eliyahu Goldratt – Israeli PhysicistOrganizations are systems of business units assembled to achieve a goalIf there isn’t a goal, there isn’t a systemThroughput accounting
Inventory is money tied up in the systemOperating Expenses are monies consumed creating units of the goalThroughput is the conversion of units of inventory into units of the goalWe want systems that improve throughput while driving down inventory and operating expenses
Constraints are what inhibit attainment of the goalWe want to identify constraints and then act to drive them down to increases systemic throughputNeed to recognize that we are dealing with a system and focus on system throughput – not just local optimizationsIf we can’t relate activities to the goal, then why are we performing the activities?
ResourceDomenico Lepore and Oded Cohen. “Deming and Goldratt – The Theory of Constraints and the System of Profound Knowledge”. North River Press. 1999.Eliyahu Goldratt. “Beyond the Goal: Eliyahu Goldratt Speaks on the Theory of Constraints”. Coach Series [Audio Book on CD]. 2005.
What Is Constraining the Goal?
Maximize Sustainable
Profits
Accounting Manufacturing
Sales Customer ServicePayroll
Poor schedule is costing the firm $200,000/day through
lost production and/or expediting of orders
Customer Service reps are inefficient and it is estimated that $150,000/year could be
saved by putting in a new system
The order entry website crashes once a week and
the firm loses about $5,000 in sales from
opportunistic buyers and incurs $500 in unplanned
labor costs
Improving the Organization
Where do we want to be?
Where are we now?
How do we get to where we want to be?
How do we monitorProgress?
Vision and Objectives
Audits / Assessments
Process Improvement(Leverage Best Practices)
Metrics and Critical Success Factors
Value Enablement
Positive Force Multiplication vs.
Negative Force Multiplication
Quality Management
Quality means conformance to requirements – Phil CosbyThis means:IT must understand the customer’s requirementsIT must meet the customer’s requirements
This assumes that the customer and IT understand the goals f the organization and how functional area objectives support themAfter WWII in Japan, Ishikawa used to tell the people on the manufacturing line that the people in the next step were their customer
Business IT Alignment (BITA)
Need the business engaged with IT and not just IT in a vacuum “Technology Pull” vs. “Technology Push” IT Service Management – services that meet customer requirements both today and in the future Primus inter pares
“First among equals” – IT and other managers working together IT may know the technology but the business knows the business even better IT and the business must leverage each others’ strengths and compensate for each others’
weaknesses Requires dialogue, regular meetings, … and lots of hard work! Roles & responsibilities must be understood
It can’t just be IT – this is an organizational culture issue Who better than logistics to argue for a new IT logistics service with IT playing a supporting
role?
Communication Barrier
Need to speak in terms of enabling objectives and goals while managing risk
Focus on business and customer needs, technology is secondary
Need to focus on terms that are mutually understoodIT must avoid “geekinese” and understand what
management needs For example discussing requirements for a two page
summary report vs. a forty page report that serves up lots of content but little information
Communication must be on a regular schedule in a venue and format that maximizes senior management’s attention
Tone At The Top
Senior management must support IT in deeds as well as words“Just get it done” can destroy all the organizational change work done to dateRecognize that IT must be engaged the same as any other technical group
Strategic Planning
IT and the business must work together to accomplish objectives IT needs to understand strategic plans in order to support the
business and the business must understand IT’s capabilities IT projects and resulting services are costly and can impact the
quality of business services rendered – they need proper planningNo different than planning for new production plants
Recognition of IT value, not just cost Board level IT strategy committee
Steering Committee
Visibility and involvement into the direction of IT
Set within context of strategy Steering committee defines
Priorities Tracks status of projects
Service Development Lifecycle
Quality standards around development projects• Requirements definition• Coding standards• Testing• Identification of best practices• Migration to production• Documentation• Evidentiary requirements Roles and responsibilities
Resource• Carnegie Mellon’s Capability Maturing Model Integrated (CMMI)Google
Project Management
29% of projects delivered on-time with expected features, 53% were challenged and 18% outright failed1
The majority of the causal factors are non-technical including: Lack of project planning Poor requirements definition Correct stakeholders not involved, or not involved early enough Poor communications Insufficient management oversight
Resources• PMI’s Project Management Body of Knowledge (PM-BOK) Projects in Controlled Environments Version Two (PRINCE2)Google
IT Service Management (ITSM)
Three objectives Align IT Services with the current and future needs of the business To improve the quality of IT services delivered To manage long-term costs of services
This is a change in mindset away from technology to one of enabling services and quality
People, Processes and Technology Resources
Information Technology Infrastructure Library (ITIL) IT Service Management Forum (itSMF)
Internal Audit
Audit plays an important role in organizations by performing a facet of the “check” functionEthicsRegulatory ComplianceProcess ComplianceControl and Process Improvement
Opportunities
Risk ManagementWhy Is Risk Management So Important?
Limited Resources and Seemingly Unlimited Risks!
Companies need to understand and prioritize risks in order to safeguard functional area objectives and
organizational goals
Safeguard the Goal
Maximize Sustainable
Profits
Accounting Manufacturing
Sales Customer ServicePayroll
What Is a Risk?
The probability of a negative event impacting the realization of functional area objectives and/or organizational goalsDoes a risk matter if it doesn’t impact a functional area objective or organizational goal?
NOInformation Technologies are a threat vectorIn the end there is only business risk
It isn’t IT that goes out of business!IT should be a stakeholder in a larger Enterprise Risk Management (ERM) effortResource
COSO Enterprise Risk Management (ERM)NIST
Use Controls to Manage Risk
Risks cause variation around the achievement of objectives and goals
Some variation is always present and inevitable
By implementing processes with adequate controls, we strive to create a reasonable assurance that we can attain our objective
Controls are found in The services IT maintains and
provisions Within the applications users access
Resource Information Systems Audit and Control
Association – Control Objectives for IT and Related Technologies
ME
AS
UR
EM
EN
T
TIME
Mean
LCL
UCL
Don’t Try to Eliminate Risk!
You can spend a fortune and you will never truly hit a 100% level of assurance – it’s not possible
The objective is to lower risk to an acceptable level, not eliminate it because that is not possible!
Work with senior management and Internal Audit to define what level of residual risk is acceptable
There is no prize for overly controlled processes – only costs, frustration and lost agility
Lev
el o
f A
ssu
ran
ceLevel of Investment
100%
Change Management
Change Management is a risk management function and a foundation control
78-80% of unavailability is tied to human error The result: Delayed projects and the perception that IT can not get
anything done As the levels of complexity and integration increase, so to does the need
for effective change management otherwise forward momentum will stop and even reverse
Properly designed Change Management can facilitate agility because productive work can actually be accomplished
There is a huge difference between total changes and net successful changes
Being able to deploy 10,000 patches overnight can crash thousands of systems overnight!
Need a company specific change management process that balances off risks to the organization with the business’ need to change
ResourcesITIL Service Support volumeITPI’s Visible Ops methodology
Continuous Improvement
PLAN
DO
ACT
CHECK
Continuous Improvement
What is needed today will be different than what is needed later
Objectives, Risks, resources, and so on will all change over time
Continuous Improvement is a necessity
The building blocks of an IT Governance strategy help companies
make strategic choices and carry them through to operational reality. Continuous Improvement
Where do we want to be?
Where are we now?
How do we get to where we want to be?
How do we monitorProgress?
Vision and Objectives
Audits / Assessments
Process Improvement(Leverage Best Practices)
Metrics and Critical Success Factors
If something doesn’t map to objectives and goals, then should it be done?
Organizational Goal
Accounting Manufacturing
Sales Customer ServiceHuman Resources
In SumImplementing an IT governance solution can deliver immediate benefits to the entire organization. These key benefits include:
Ability to map IT and technology risks into business orocesses.Better visibility and decision support around IT risks.Improved efficiency.IT risk reduction