Implementing Effective IT Governance and IT Management E-Book

Implementing Effective IT Governance and IT Management

Colofon

Title:

Implementing Effective IT Governance and IT Management

Subtitle:

A Practical Guide To World Class Current and Emerging Best Practices

Author:

Dr. Gad J Selig PMP, COP

Editor:

Steve Newton

Publisher:

Van Haren Publishing, Zaltbommel,

www.vanharen.net

ISBN Hard copy:

978 94 018 0008 2

ISBN eBook:

978 94 018 0528 5

ISBN ePub:

978 94 018 0572 8

Edition:

First edition, first impression, March 2008Second edition, first impression, February 2015

DTP:

CO2 Premedia, Amersfoort - NL

Copyright:

© Van Haren Publishing 2008, 2015

For any further enquiries about Van Haren Publishing, please send an e-mail to: [email protected]

All rights reserved. No part of this publication may be reproduced in any form by print, photo print, microfilm, electronic, the Internet or any other means without written permission by the publisher.

Although this publication has been composed with much care, neither author, nor editor, nor publisher can accept any liability for damage caused by possible errors and/or incompleteness in this publication.

PRINCE2®, M_o_R® and ITIL® are Registered Trade Marks of AXELOS Limited.

COBIT® is a registered trademark of ISACA/IT Governance Institute (ITGI).

Effective IT governance and management, that is closely aligned to the business needs and supported by a strong business partnership, is extremely vital to the success of the IT function within corporate enterprises and on a global basis. Dr. Selig’s book on this very topic is a great resource for all IT practitioners, senior business professionals and brings together every critical aspect relating to IT governance.

The second edition lays out a roadmap to executing within a solid governance model. It looks at all aspects of establishing, planning, implementing, growing and sustaining an IT ecosystem. The combination of case studies and disciplined approaches to building well-structured processes, committed leaders and change agents will help the board, executive management and most of all, CIOs and IT professionals think through what has worked, what can work and how to deploy IT governance successfully.

Being a CIO for many years in a highly competitive industry, I have developed a respect for the process side of running IT like a business. There has always been a need to balance governance for IT with the demands and services needed to support the business. This requires effective implementation of guiding principles and controls to ensure corporate enterprises optimize their investments and, more importantly, ensures that all IT resources are well organized and utilized to help drive business value.

In my experience, Information Technology and its effective management is a fundamental cornerstone of any well-run business. Ensuring that the IT function is fully supporting the business strategy and goals of the company is all about ensuring that the IT organization, processes and performance are designed with a view to constantly providing and measuring business value. Successful CIOs recognize that IT has become far more than a means of increasing efficiency and reducing costs. Rather, they see IT as a prime stimulus for, and an enabler of, business innovation and transformation – and they themselves are viewed as key collaborators, facilitators and partners in a process that develops business and IT strategies in concert.

Ever since the recent economic recession, coupled with the growing reliance on social media and mobile - one thing we are sure of is that “Change is the New Norm”!

Therefore, never before has it been more critical to cultivate a holistic management model for the information technology function that is well aligned to the business needs. Business today is faced with far more rapidly changing and challenging market conditions, industry disruption, ever-changing regulations, the need for accessible analytics and more demanding and impatient customers. In parallel to this, new technology approaches such as cloud, digital, mobile, ‘big data’, Internet of Things, and visual analytics, all present new ways of doing things that, therefore, challenge the status quo. These external challenges, coupled with the new technology opportunities, along with the need to support normal business demands such as; to market and administer a new product quickly, scale and protect the core infrastructure and company data, drive company change, all taken together elevate the dependency that successful businesses today have on technology and hence highlights the need for a strong and comprehensive governance model between IT and the business. IT practitioners today have to work with an ever-changing business and IT landscape, where the pace of change is tremendous, business competition and demand for IT services is extremely high, budgets are challenged and talented technical resources are always scare – this book should help provide some innovative insights into IT governance in an era of change and complexities!

I have known Dr. Selig for more than five years and have enrolled members of my senior staff onto an IT governance seminar led by him. He is a seasoned IT veteran who has organized a set of proven, fundamental approaches for the IT professional and has a passion for sharing these approaches. In this book, Dr. Selig combines practical business experience and practices along with academic principles, which together provide a valuable and insightful contribution to help advance the role of IT and its value to the business. Whether you are a board member, a CEO, a practicing CIO, or a student of IT, this book will provide a reference and guide to ensure that your IT function is well aligned to your business needs and is well managed and governed to achieve maximum business value for your organization.

Ursuline Foley

Enterprise/Corporate CIO

Major Insurance/Reinsurance Company

Dr. Selig’s second edition of the book on IT governance is an excellent addition to the knowledge base focused on the business of information technology. It is an excellent compilation of practical and useful information on the governance of IT in business and government.

The book highlights many of the concepts I have endorsed and encouraged for years as well as new ideas and information. The book is comprehensive and written in a reader-friendly way.

I look forward to recommending this book to readers at all levels in my client organizations dealing with the issues, and looking for solutions, in the complex and fast-changing world of IT governance.

IT governance offers you the who, what, where, when, and how to properly organize, plan, align, manage, and measure the effectiveness of the IT function in any organization. Dr. Selig provides a good balance between the people, technology, and process challenges essential to optimizing IT as an expensive corporate asset.

The book reinforces the fact that IT is not an independent organization silo. It must be aligned and integrated effectively with the business, and in government the mission, throughout the organization. Dr. Selig shows the balance - that IT supports the business or organization mission, but also, when properly aligned, managed, and resourced, will enable the organization to prosper, innovate, and grow effectively.

I have known Dr. Selig more than 25 years as a client, Alliance Partner, and good friend. He is a seasoned educator and business, consulting and IT veteran. He has organized a set of fundamental approaches for the IT professional and business and government executives. In this book, Dr. Selig’s practical experience as a leader provides a valuable contribution to advance the field. Whether you are a board member or CEO, a practicing CIO, or a student of IT, this book will guide you through complex business, process and technological roadmaps that work.

Dr. Selig’s book is an excellent reference source in a critical area with many fast-changing parts. It is a must-have for teachers, executives, and managers dealing with IT.

John A. McCreight

Founder & Chairman

McCreight & Company, Inc. ~ CIO Group, LLC ~ Board Effectiveness Partners, LLC ~ Second Opinion, LLC

The issues, opportunities and challenges of aligning information technology more closely with an organization and effectively governing an organization’s Information Technology (IT) investments, resources, major initiatives and superior uninterrupted service is becoming a major concern of the board and executive management in enterprises on a global basis. Information technology (IT) has become an integral part of many organizations and is fundamental to sustain growth, innovation and transformation and support continuing operations in most organizations. Therefore, an integrated and comprehensive approach to IT governance is required, which includes all the activities of business/IT alignment, global resource planning, execution and governance of IT as well as the leadership of those entrusted with the task. Effective ‘management’ includes the activities of planning, investment, integration, measurement, innovation and business transformation, deployment and services required to manage a complex strategic asset.

The author views IT governance as the focal point for more effective IT management around which there are many important issues such as alignment, leadership, planning, execution, accountability, metrics and related topics. In other words, superior IT governance represents the path to world class IT management practices.

None of this is easy, or obvious, and this pragmatic and actionable ‘how to guide’ is intended to pull together, from about 200 sources, current and emerging best practices and draw from over twenty IT governance best practice case studies. Some of these case studies are included in the book.

Effective IT governance represents a journey (not an end state in itself), which focuses on sustaining value and confidence across the business. Today, many companies start on a narrow path or shotgun approach and focus on the compliance component (e.g. Sarbanes-Oxley and others) of IT governance, without developing a more comprehensive framework with a prioritized roadmap based on the highest value delivered to the organization.

In reviewing the current literature, completing over twenty case studies and conducting numerous private and public IT governance workshops and consulting assignments both domestically and internationally over the past few years, attended by thousands of executives, managers and practitioners on IT/business alignment, planning, deployment (e.g. program/project management, IT service management, outsourcing, cloud computing, data management, etc.) and governance (e.g. performance management and control), much has been written and documented about the individual components of IT governance. However, much less has been written about a comprehensive and integrated IT/business alignment, planning, execution and governance approach that represents a balanced approach consisting both of a strategic top-down framework and roadmap together with bottom-up implementation principles and practices that address the broad range of IT issues, constraints and opportunities in a planned, coordinated, prioritized, cost effective and value delivery manner.

The purpose of the book is not to repeat in greater details what has been published previously, but to describe each of the major components in an overall comprehensive framework and roadmap in sufficient detail for executives, managers and professionals. It is hoped that the book can serve as a guideline for any organization in any industry to formulate and tailor an effective approach to IT governance for its environment and to help transition the IT organization to a higher level of maturity, effectiveness and responsiveness.

The second edition of the book contains a new chapter on cloud computing, data management and governance, updates to the case studies and new material. Throughout the entire book the text has been updated on leadership, transformation, AgilePM and Scrum, ITIL 2011 Edition, performance management, risk management, CGEIT (COBIT IT Governance), cloud sourcing, security, select ISO standards related to IT governance and other topics.

■  THE MARKET FOR THE BOOK

Many executives, managers and practitioners have expressed the need for a comprehensive, yet practical guide, based on real world experiences, on the subject of implementing IT successfully.

The book has been written by a former business and IT executive and practitioner who has managed businesses and IT organizations, managed strategic change and advised major public and private organizations on business and IT strategy and governance. He has also completed numerous consulting assignments, conducted private and public workshops and graduate business and engineering courses on the fundamentals of managing and implementing strategy, innovation, management, IT strategy formulation, governance and transformation of IT to integrate seamlessly with the business.

Our intended audiences include the following groups:

■   Directors of corporate boards – who have overall fiduciary accountability to provide oversight for the business and key functions of the business.

■   Executives – who are primarily responsible for developing and/or approving business/IT strategy and then overseeing its implementation and governance (the ‘C’ suite of corporate officers).

■   Managers and professionals – who are primarily responsible for implementing and governing IT in their organizations and institutions,

■   Consultants and other advisors – who are involved in advising, planning, organizing, directing and governing IT initiatives to help transform businesses and organizations to compete more effectively around the world

■   Academicians, graduate and upper level undergraduate students – who must teach and master a fundamental understanding of IT and how it impacts businesses, management, employees, the regulators and investors.

The demand for an updated comprehensive, pragmatic and actionable ‘how to’ guide to help mangers and practitioners plan, deploy and sustain an effective IT governance and management environment and culture has been expressed by many managers and professionals in the private, public and academic sectors.

■  ORGANIZATION OF THE BOOK

The book is divided into two parts and ten chapters, which cover the three critical pillars necessary to develop, execute and sustain a robust and effective IT governance and management environment - leadership, people and organization, flexible and scalable processes and enabling technologies.

Part I covers the overview, business/IT alignment, strategic planning, demand management, the integrated IT governance framework and leadership, teams and organization. Part II covers the process and technology topics including: execution and delivery management (includes program/project management, IT service management and delivery with IT Infrastructure Library {ITIL} and strategic sourcing and outsourcing); performance measurements, risk and contingency management (e.g. includes COBIT, the balanced scorecard and other metrics and controls), cloud computing, data management and enabling technologies.

Part I Business/IT Strategy, Alignment, Leadership, Teams and Organization

Part I of the book focuses on the chapters covering business/IT strategy, alignment, leadership, teams and organization required to develop and execute an effective IT governance environment. It focuses on the strategy formulation, people and organizational aspects.

Chapter 1 Introduction to IT/Business Alignment, Planning, Execution and Governance

Covers the key IT/business alignment, integration, planning, execution, governance issues, constraints and opportunities; discusses the roles of the board, executive management and practitioners; reviews the value propositions for IT governance, provides an overview of demand management, decision rights, balanced scorecard metrics and how much governance is required; reviews select regulations and their compliance requirements; identifies the steps in making IT governance real and provides an assessment technique to determine the current level of IT governance maturity in an organization and illustrates a blueprint of a future state of IT governance. It also covers functional and IT components related to governance such as platform, infrastructure, application development, operations, security and related topics.

Chapter 2 Overview of a Comprehensive IT Governance and Management Framework and Select Industry Current and Emerging Best Practice Frameworks, Standards and Guidelines

Describes and illustrates a comprehensive IT alignment, execution framework and its major components. References and brief descriptions of related current and emerging industry best practices, standards and guidelines, including maturity models are discussed such as COBIT, Strategic Planning, ISO 9001 (Quality), ISO 20000 (IT Service Management), ISO 27002 (IT Security), ISO 38500 (IT Governance) and ISO 31000 (Risk Management), PMI’s PMBOK Guide v5, PMI’s Standard for Program Management v3, PMI’s Standard for Portfolio Management v3, Project and Portfolio Management, AgilePM (Project Management) and Scrum, CMMI, People-CMM, ITIL 2011 Edition, PRINCE2, PMMM, ITIM, VAL-IT, ISO 21500 (Guidance on Project Management), SDLC/IDLC, Lean & Six Sigma, eSCM, OPBOK, Baldrige, Lean IT, TOGAF, BABOK Guide, BISL, the balanced scorecard, related professional certifications and others and how, if followed, they can result in more effective IT governance and management.

Chapter 3 Business and IT Alignment, Strategic/Operating Planning and Portfolio Investment Management Excellence (Demand Management)

Covers the business and IT strategic planning cycle, executive steering groups, business/IT integration maturity model, IT planning through execution management flow, IT investment portfolio selection and prioritization attributes and VOC engagement model.

Chapter 4 Principles for Managing Successful Organizational Change, Prerequisites for World Class Leadership and Developing High Performance Teams

Covers key leadership, talent, people and soft skills and competencies required for success. It also covers the attributes of successful traditional and virtual teams in a global environment. It discusses technologies used by virtual teams located anywhere. It also reviews a framework for managing successful change in helping to transition and transform organizations to higher levels of IT maturity and effectiveness. It also covers the shadow IT organization and structure and how to strength the partnership between more sophisticated IT technology users and the IT organization.

Part II IT Governance and Its Critical Processes and Enabling Technologies

Part II of the book focuses on the chapters covering project management, IT service management, outsourcing, cloud computing, big data management, analytics and metrics related to IT governance.

Chapter 5 Program and Project Management Excellence (Execution Management)

Program and project management is a major component of effective IT execution management. It discusses the right and pragmatic ways to manage programs and projects within a flexible and scalable process, accommodating both fast track and complex initiatives. It provides multiple checklists, templates and metrics to help deliver programs and projects on time, within scope, within budget, with high quality and to the customer’s satisfaction and/or get them back on track. It references a self-assessment maturity model that can be used to assess the current and target the future maturity level of an organization and suggests a transition plan to get there. It also covers Agile project management and Scrum.

Chapter 6 IT Service Management (ITSM) Excellence (Execution Management)

Describes the principles and practices of IT service management and operations providing an overview of ITIL 2011 Edition (IT Infrastructure Library), its processes and components. Specific objectives, benefits, and key performance indicators are covered. It illustrates a self-assessment maturity model that can be used to assess the current and target the future maturity level of an organization and suggests a transition plan to get there.

Chapter 7 Strategic Sourcing, Outsourcing, Vendor Management and Excellence

Provides the fundamentals of strategic sourcing and outsourcing such as issues, concerns, opportunities, value propositions, outsourcing lifecycle, the outsourcing business case, risks, modes of outsourcing (e.g. on-shore, rural shore, near shore, off shore, best shore, etc.), vendor selection, due diligence, contract negotiations and ongoing management roles, including relationship management, metrics, escalation and disengagement considerations. It also covers key components of crowd sourcing.

Chapter 8 Performance Management, Metrics, Management Controls, COBIT®, Risk Management, Business Continuity and Enabling Technology Excellence

Covers the principles and practices of achieving IT performance excellence using balanced scorecard metrics and linking critical success factors to historic and predictive key performance indicators (KPIs). It reviews COBIT. It also covers risk management, assessment and mitigation strategies, and business and IT continuity planning and disaster recovery. Finally, it describes a suite of technology tools that support and enable the key IT alignment, execution and governance functions and processes.

Chapter 9 Cloud Computing, Data Management and Governance Issues, Opportunities, Considerations and Strategies

Cloud computing usually involves a large number of computers connected through a real-time communication network such as the Internet. The phrase is often used in reference to network-based services which appear to be provided by real server hardware, simulated by software running on one or more real machines. Cloud computing is a form of outsourcing with its own issues, opportunities, risks and metrics. Big data, analytics, business intelligence and decision support system are components of data management and require the use of databases, statistics and software tools and analytical skills to extract information to help make decisions to reduce costs, improve quality, reduce risks and assist in focusing on the most valuable customers. The data management and governance issues and strategies are addressed in this chapter.

Chapter 10 Summary, Lessons Learned, Critical Success Factors and Future Challenges

Summarizes the components required to anticipate and proactively implement IT governance and management effectively. It provides a summary checklist of all of the key components and critical success factors identified in each chapter to make IT governance real, effective and sustainable.

I gratefully acknowledge the help and support of a number of individuals, organizations and their members in the private, public and academic sectors in conducting the research, editing the book, participating in developing the case studies, allowing me to consult and/or teach for them and influencing, reinforcing and validating the findings, recommendations, critical success factors and lessons learned.

Select organizations include: The Industry Advisory Board members at the University of Bridgeport and its Board members, many of whom allowed me to conduct case studies or workshops at their facilities such as ADP, Avon, Crisply, GE, X.L. Financial, IAOP, ITSqc, IPC Corp., Oracle, Pitney Bowes, Unilever, Vodaphone and Xerox. In addition, many extraordinary managers and professionals helped me from the Project Management Institute (PMI), the Information Technology Governance Institute and its sister organization, ISACA, the International Association of Outsourcing Professionals, the CIO Group, The Advisory Council (TAC) and select members of the Society for Information Management (SIM).

I would also like to thank specific people for their help, contributions and insights: Christine Bullen formerly at Stevens Institute of Technology, Paul Bateman at AXA, Mark Richards at e-Richards, Rebecca Brunotti, formerly of the General Services Administration – Federal Technology Services, Joann Martin formerly at Pitney Bowes, Nicholas Willcox at Unilever, Tarek Sobh at the University of Bridgeport, Michael Corbett at IAOP, Dick Lefave formerly at Sprint-Nextel and one of my co-authors of our Strategic Sourcing and Outsourcing book, Peter Shay at TAC, Jim Shay at Cyber Defense, Urs Foley at X.L. Financial, Michael Fry and Beth Gollogly at Xerox, Greg Fell, formerly at Terex and now at Crisply, Art Parkos and Rajiv Arora at Pitney Bowes, Susan Certoma at Broadridge, Israel Hersh and Joe Smularski at IPC Systems, Robert Testa at ADP, Ketan Risbud at Avon, John McCreight at McCreight and Company, and others.

A special thanks goes to Nirmala Devi Jeyakumar and Manali Khaniwale Vispute, my graduate assistants at the University of Bridgeport who helped me with conducting research for the book and coordinating the many revisions to the manuscript. I also want to thank the many executives, managers and professionals who have attended my seminars and workshops over the years, as well as my students who have attended my graduate classes. All of them have contributed to my knowledge and challenged me to learn more and stay current in a rapidly changing field.

In addition, I would like to thank my publisher, Bart Verbrugge at Van Haren Publishing for his friendship, editorial suggestions and encouragement to complete this project, as well as my editor, Steve Newton.

I would like to dedicate this book to my wife, mate and life-long partner, Phyllis, for her love, dedication, understanding, and support that she has given me throughout our time together. Our children, Camy, Dan, Gabe, our children through marriage, Beth and Andy and our grandchildren, Jason, Jacob, Jesse, Samantha and Zachery who also inspired me to finish the project so that I could devote more time to them.

Dr. Gad J. Selig, PMP, COP

Fairfield, CT

PART I LEADERSHIP, PEOPLE, ORGANIZATION AND STRATEGY

1   INTRODUCTION TO IT/BUSINESS ALIGNMENT, PLANNING, EXECUTION AND GOVERNANCE

1.1   What is Covered in This Chapter?

1.2   Overview

1.3   Definition, Purpose and Scope of IT Governance

1.4   Linking the CEO Role to Achieving Business Growth, Improving Profitability and Creating an Effective Governance and Compliance Environment

1.5   Overview of the Integrated IT Governance Framework, Major Components and Prerequisites

1.6   Steps in Making IT Governance Real

1.7   Case Study – Global Consumer Goods Company

1.8   Summary and Key Take Aways

2   OVERVIEW OF INTEGRATED IT GOVERNANCE AND MANAGEMENT FRAMEWORK AND SELECTION OF CURRENT AND EMERGING BEST PRACTICE FRAMEWORKS, STANDARDS AND GUIDELINES

2.1   What is Covered in This Chapter?

2.2   Overview

2.3   Integrated IT Governance Framework and Roadmap

2.4   Select Examples of Current and Emerging Business/IT Alignment and Governance Reference Models, Frameworks and Standards

2.5   Case Study – Leading Business Services/Manufacturing Company

2.6   Summary, Implications and Key Take Aways

3   BUSINESS/IT ALIGNMENT, STRATEGIC PLANNING AND PORTFOLIO INVESTMENT MANAGEMENT EXCELLENCE (DEMAND MANAGEMENT)

3.1   What is Covered in This Chapter?

3.2   Overview

3.3   Principles of Aligning IT to the Business More Effectively

3.4   Setting a Direction for Improved Business/IT Alignment Through Planning Related Processes

3.5   Strategic IT Investment Portfolio Management Alternatives

3.6   IT Engagement and Relationship Model and Roles

3.7   Case Study – Regional Financial Services Organization

3.8   Summary and Key Take Aways

4   PRINCIPLES FOR MANAGING SUCCESSFUL ORGANIZATIONAL CHANGE, PREREQUISITES FOR WORLD CLASS LEADERSHIP AND DEVELOPING HIGH PERFORMANCE TEAMS

4.1   What is Covered in This Chapter?

4.2   Overview

4.3   Framework for managing accelerating change

4.4   Organizing for the IT governance initiative

4.5   World Class Leadership Principles and Practices

4.6   Principles for Creating and Sustaining High Performance Teams

4.7   Case Study – Global Business Outsourcing Services Company

4.8   Summary and Key Take Aways

Part II IT Governance, the Major Component Processes and Enabling Technologies

5   PROGRAM AND PROJECT MANAGEMENT EXCELLENCE (EXECUTION MANAGEMENT)

5.1   What is Covered in This Chapter?

5.2   Overview

5.3   Project Management is Complex but Has Significant Value

5.4   Principles for Achieving Excellence in Program/Project Management

5.5   Making the Choice – Program and Project Management Light or Complex

5.6   Program and Project Governance Excellence

5.7   Agile Project Management (AgilePM®) and Scrum

5.8   Case Study – U.S. Federal Government Agency

5.9   Summary and Key Take Aways

6   IT SERVICE MANAGEMENT (ITSM) EXCELLENCE (EXECUTION MANAGEMENT)

6.1   What Is Covered in This Chapter?

6.2   Overview

6.3   Principles for Achieving IT Service Management Excellence

6.4   What is ITIL and Why is It Different?

6.5   ITIL Frameworks, Certifications and Qualifications

6.6   Select ITIL® 2011 Edition Processes and Functions by Core Phases

6.7   Steps in Making ITIL Real and Effective

6.8   Case Study – Global Manufacturing Organization

6.9   Summary and Key Take Aways

7   STRATEGIC SOURCING, OUTSOURCING AND VENDOR MANAGEMENT EXCELLENCE

7.1   What is Covered in This Chapter?

7.2   Overview

7.3   Principles and Practices for Outsourcing Excellence from a Customer Perspective

7.4   Vendor Selection, Contract Negotiations and Risk Management

7.5   Crowdsourcing

7.6   Steps in Making Outsourcing Real

7.7   Case Study – Major Pharmaceutical Company

7.8   Summary Steps and Key Take Aways

8   PERFORMANCE MANAGEMENT, METRICS, MANAGEMENT CONTROLS, COBIT®, RISK MANAGEMENT, BUSINESS CONTINUITY AND ENABLING TECHNOLOGY EXCELLENCE

8.1   What is Covered in This Chapter?

8.2   Overview

8.3   Principles for Achieving Performance Management and Control Excellence

8.4   COBIT® - Control Objectives for Information and Related Technologies

8.5   Risk Assessment, Management and Mitigation

8.6   Business and IT Continuity and Protection Plan Checklist

8.7   Enabling Technologies to Improve IT Governance

8.8   IBM Process Reference Model for IT (PRM-IT)

8.9   Case Study – Global Manufacturing and Managed Services Company

8.10 Summary and Key Take Aways

9   CLOUD COMPUTING, DATA MANAGEMENT AND GOVERNANCE ISSUES, OPPORTUNITIES, CONSIDERATIONS AND APPROACHES

9.1   What is Covered in This Chapter?

9.2   Overview and Definitions

9.3   Cloud Computing

9.4   Data Management

9.5   Case Study – Major Insurance and Reinsurance Company

9.6   Summary and Key Take Aways

10 SUMMARY, LESSONS LEARNED, CRITICAL SUCCESS FACTORS & FUTURE CHALLENGES

10.1 What Is Covered in This Chapter?

10.2 Migration Plan for Making IT Governance Real and Sustainable

10.3 Composite Checklist for Implementing and Sustaining Successful IT Governance in Organizations

10.4 Lessons Learned

10.5 Critical Success Factors

10.6 Implications for the Future and Personal Action Plan

Appendix A Glossary

Appendix B References, alphabetical

Appendix C References - Topic List

Appendix D Managing Accelerating Change and Transformation Framework

Part I of the book covers chapters 1 through 4. It focuses on an overview of IT governance, alignment and strategy, leadership teams, organization and managing change. It also references current and emerging best practice industry frameworks, guidelines and standards that are useful and applicable to IT management and governance and its major components.

On Change and Innovation:

“Never be afraid to try something new.

Remember, amateurs built the Ark, professionals built the Titanic!”

Anonymous

■  1.1   WHAT IS COVERED IN THIS CHAPTER?

■   Provide an overview and summary of the key business/IT planning, execution, governance issues, constraints, opportunities and processes;

■   Discuss the roles of the board, and responsibilities of executive management and the CIO;

■   Review the value propositions for IT governance;

■   Provide an overview of IT demand management, decision rights, balanced scorecard metrics and how much governance is really required;

■   Identify steps in making IT governance real and pragmatic;

■   Discuss an assessment technique to determine the current level of IT governance maturity in an organization and illustrate a blueprint of an ideal, future target state of IT governance.

■  1.2   OVERVIEW

The issues, opportunities and challenges of aligning information technology more closely with an organization and effectively governing and managing an organization’s Information Technology (IT) investments, resources, major initiatives and superior uninterrupted service are becoming a major concern of the board and executive management in enterprises on a global basis. IT has become a critical function in most organizations and is fundamental to support, and sustain innovation, growth and survival.

Therefore, a comprehensive top-down approach with bottom-up execution of IT governance, a key component of enterprise governance, which includes all the activities of business/IT alignment, planning, execution, management, control and governance of IT as well as the leadership of those entrusted with the task, is critical to achieve a cost effective solution and approach. Effective ‘management’ includes the activities of planning, investment, integration, measurement, deployment and providing the services required to manage a complex and valuable strategic asset. Enterprise governance represents the entire management accountability and control framework of an organization, including roles and responsibilities of the board, the CEO and other functional managers, to ensure that the organization meets its objectives and plans in an ethical manner. Enterprise governance and corporate governance are terms used interchangeably.

None of this is easy, or obvious, and this pragmatic and actionable ‘how to guide’ is intended to draw from over 500 current and emerging best practice sources and over twenty-five IT governance best practice case studies, some of which are included in the book.

The purpose of the book is not to repeat in greater detail, what has been published previously, but to describe each of the major IT governance components as part of an overall comprehensive framework and roadmap in sufficient detail for executives, managers and professionals to serve as a guideline and starting point for any size organization in any industry to develop and tailor a workable and realistic approach to its environment, strategies, priorities, capabilities and available resources, and to transition IT organizations to a higher level of maturity, effectiveness, responsiveness and management.

1.2.1   Today’s business challenges and drivers

Our world is in a time of remarkable and sometimes overwhelming change. The pace of change is accelerating on a global basis. Pressures for reducing costs, increasing speed to market, continuous improvements, greater innovation and creativity, more compliance, more effective accountability, globalization and more demanding and sophisticated customers are some of the pressures facing business and IT executives.

Figure 1.1 illustrates select pressures and drivers that organizations must deal with in a rapidly and dynamically changing global environment.

1.2.2   Scope and definition of enterprise governance and its relationship to business and IT governance

The discipline of enterprise governance begins at the top. The critical questions here are: How is a corporation’s board of directors structured? Does it operate in a way that ensures their ability to fulfill their obligation to safeguard the resources of the company and the interests of corporate stakeholders?

Figure 1.1 Today’s business challenges

Effective corporate governance requires the board to focus on general oversight and stewardship of the corporation, and to refrain from involvement in the day-to-day operations of the company. In this way, the board is able to maintain an integrated and relatively objective perspective on the company’s operations, which helps it to steer the firm in the direction that will most benefit not only shareholders, but also the corporation in its entirety (Lam, 2014).

According to the International Federation of Accountants (IFAC), “Enterprise governance constitutes the entire accountability framework of the organization.” Enterprise governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that plans and objectives are achieved, assessing that risks are proactively managed and assuring that the enterprise’s resources are used responsibly.

In an increasingly information technology-dependent world, the impact of the extraordinary changes brought about by the nexus of mobile and cloud technologies, social media and big data is increasingly being felt in the board room. As leaders of enterprises of every type and size, board directors can no longer afford to ignore, delegate or avoid IT-related decisions. Competitive, financial and reputational risk is increased if boards fail to recognize their role in governing technology as an asset and in removing barriers to improving enterprise information technology governance. Directors’ awareness of the need for IT governance is increasing.

Enterprise governance includes the leadership and governance oversight of enterprise architecture to align business strategy, structures, systems, policies, processes and relational mechanisms. This strategic oversight enables customers, shareholders, stakeholders, people in IT and from across the business (including HR, communications, finance, engineering operations, marketing and others) to cost effectively engage to create enterprise value from the use of data and information, services and technologies. In short, enterprise governance represents the highest level of organizational and managerial discipline.

Enterprise governance deals with the separation of ownership and control of an organization (e.g. board members represent the stockholders), while business governance focuses on the direction, control and execution of the business plan and strategies by the CEO and his/her team and IT governance focuses on the direction, control and execution of IT plans and strategies (e.g. CIO and his/her team). Figure 1.2 compares and differentiates the key characteristics of enterprise governance versus business governance versus IT governance.

Enterprise governance drives business and all functional governance (e.g. IT)

Enterprise Governance

Business Governance

IT Governance

Separation of Ownership & Control (Board)

Direction & Control of the Business (CEO and Executives)

Direction and Control of IT (CIO and Direct Reports)

•   Roles of Board and Executives

•   Regulatory Compliance Oversight

•   Shareholder Rights

•   Business Operations & Control Oversight

•   Financial Accounting & Reporting Oversight

•   Risk Management Oversight

•   Business Strategy, Plans & Objectives

•   Manage Execution

•   Performance Metrics, Controls and Incentives

•   Intellectual Capital and Management/Succession Planning

•   Manage Innovation, Proactive Change and Continuous Improvements

•   IT Strategy, Plans & Objectives

•   Alignment with Business Plans and Objectives

•   IT Assets and Resources

•   Demand Management (Customer)

•   Value Delivery and Execution Management (PM, Service Management)

•   Risk, Change & Performance Management

Figure 1.2 Enterprise governance versus business governance versus IT governance

1.2.3   The board’s role in IT governance

Historically, the board of directors of public companies has focused, through committees, on such issues as audit, executive compensation, executive succession planning and others.

With the growing importance of IT in an increasing number of organizations, the board is forming a committee that focuses on IT strategy, investments and IT governance as part of enterprise governance. Based on a report by the IT Governance Institute, “IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT function sustains and extends the organization’s strategies and objectives.” (IT Governance Institute, 2003)

1.2.4   Major challenges and issues faced by IT

In our research, we compiled a list of IT challenges and issues identified by multiple independent sources. There appears to be a common thread running through these issues and therefore, we have summarized them into strategic, value enhancing and execution questions.

Board and executive questions for IT:

■   Does the IT strategy align with the business strategy?

■   Is the IT investment justified based on its contributions to the business?

■   How likely will IT meet or exceed its plans, objectives and initiatives?

■   Is IT being managed prudently, effectively? How is that measured?

■   How is IT delivering value? Is there a consistent IT business case format used for justifying IT investments?

■   Is IT developing and maintaining constructive relationships with customers, vendors and others?

■   Is IT delivering projects and services on time, within scope, within budget and with high quality?

■   Is IT staffed adequately, with the right skills and competencies?

■   Is there a standard measurement for IT investment across the firm?

■   How does IT management and operations compare to other best practice organizations?

■   How is IT managing and planning for contingencies, disasters, security, back-up and privacy?

■   How is IT measuring its performance? What are the key performance measures?

■   How effectively is IT communicating its progress and problems to its constituents such as executive management, sponsors, user community and other constituents?

■   What controls and documentation have been instituted in IT? Are they sufficient?

■   Does the board review and approve the overall IT strategy? Major projects?

■   Is a risk management policy, assessment and mitigation practice followed for IT?

■   Is IT compliant to federal, state and country (for global organizations) regulations and internal policies and controls?

■   Are IT audit policies, procedures and processes in place and followed?

■   Is there a succession plan in place for the CIO and key direct reports?

Top issues identified and ranked by over 100 CIOs in a CIO article (Nash, 2012) included:

1.   Coping with accelerating change (and become one of the key drivers of innovation change).

2.   Aligning IT strategy with the business strategy and enterprise governance.

3.   Meeting the business needs effectively.

4.   Infrastructure and IT service management (reliability and scalability).

5.   Dealing with senior management and the board (get a seat at the ‘C’ table).

6.   Managing costs, budgets and resources (internal and external).

7.   Security, privacy, compliance and mitigating risks.

8.   Recruiting and retaining staff.

9.   Strengthening governance policies and practices.

10. Maintaining exemplary skills and knowledge (continuous learning),

Select issues addressed by a panel of CIOs of global organizations such as Pepsi, GE, IBM, Ogilvy and Mather, Pitney Bowes and others at a recent Society for Information Management (SIM) Chapter meeting:

■   How do you align the IT strategy with the business strategy? What processes and tools are used? Who is involved? What worked? What did not?

■   How and in what areas is IT delivering value to your organizations? How is it measured?

■   How do you ensure that IT delivers on its plans and commitments and executes effectively? Program/project management? IT service management? Security? Privacy? Business and IT continuity? IT performance metrics? Data management and analytics?

■   How is IT developing/sustaining constructive and positive relationships with its customer community? Executive management? Vendors?

■   What IT controls, governance and compliance frameworks, processes, tools and techniques are being used? What worked? What did not?

■   Has your business aligned itself with technology, innovation, the customer and is it open to managing accelerating change?

■   How is IT performance measured? What KPIs are used at CIO level? Above CIO Level? Below CIO level?

■   How effective is IT in marketing and communicating its progress and performance results to its constituents? What tools and techniques are used? How often?

■   How do you sustain continuous improvement initiatives to increase the level of IT maturity and effectiveness, staff development, constituent ownership and decision rights?

■   How are you sustaining compliance in processes and reporting?

■   Does the board/operating committee/senior business leadership review and approve the IT strategy, priorities and funding? Major changes to plan, programs and budgets?

Summary of key strategic, value enhancing and execution questions

Strategic questions - are we doing the right thing? Is the investment in IT:

■   In line with our business vision, strategy and capital budgeting?

■   Consistent with our business principles, plan and direction?

■   Contributing to our strategic objectives, sustainable competitive differentiation and business continuity support?

■   Providing optimum value at an acceptable level of risk?

■   Representing a long term view (roadmap)?

■   Including an architectural roadmap based on a detailed analysis of the current state or condition of IT?

Value questions – are we getting the benefits:

■   From a clear and shared understanding and commitment to achieve the expected benefits?

■   From clear accountability for achieving the benefits which should be linked to MBOs (Management by Objectives) and incentive compensation schemes for individuals and business units and/or functional areas?

■   Based on relevant and meaningful metrics and linked to corporate performance measurement systems?

■   Based on a consistent benefits realization process and sign-off?

Delivery and execution questions – are we deploying well and effectively? How do we measure our results:

■   Scalable, disciplined and consistent management, governance, delivery of quality projects and operations;

■   Appropriate and sufficient resources available with the right competencies, capabilities and attitudes;

■   A consistent set of metrics linked to critical success factors and realistic key performance indicators (KPIs);

■   Using succession planning.

Figure 1.3 Major challenges for IT

Figure 1.3 summarizes the major IT challenges being addressed by a major global software organization as part of its IT planning and governance process.

At the end of the day, it comes down to a need for a plan and action program than can be executed. At the same time, the role of the CIO is also undergoing significant change. Successful CIOs recognize that IT has become far more than a means of increasing efficiency and reducing costs. Rather, they see IT as a prime stimulus for, and enabler of, business innovation and change – and themselves as key collaborators in a process that develops business and IT strategies in concert. Throughout the book we address many of the above challenges and issues.

■  1.3   DEFINITION, PURPOSE AND SCOPE OF IT GOVERNANCE

Definition of IT governance

Governance formalizes and clarifies oversight, accountability and decision rights for a wide array of IT strategy, integration, resource and control activities. It is a collection of management, planning and performance review policies, practices and processes with associated decision rights, which establish authority, sponsorship, controls, a baseline and performance metrics over investments, plans, budgets, commitments, services, major changes, security, privacy, business continuity, risk assessment and compliance with laws and organizational policies. (Peter Weill, et al., 2004, and modified by the author.)

Purpose of IT governance:

■   Align IT investments and priorities more closely with the business strategy and risk appetite;

■   Manage, evaluate, prioritize, fund, measure and monitor requests for IT services and the resulting work and deliverables, in a more consistent and repeatable manner that optimizes returns to the business (e.g. portfolio investment management);

■   Responsible utilization of resources and assets;

■   Establish and clarify accountability and decision rights (clearly defines roles, responsibility and authority);

■   Ensure that IT delivers on its plans, budgets and commitments;

■   Manage major risks, threats, change and contingencies proactively;

■   Improve IT organizational performance, compliance, maturity, staff development and outsourcing initiatives;

■   Improve the voice of the customer (VOC), demand management and overall customer and constituent satisfaction and responsiveness;

■   Manage and think globally, but act locally;

■   Champion innovation and proactive change within the IT function and the business.

Scope of IT governance:

Key IT governance strategy and resource decisions must address the following topics (modified from Peter Weill, et al., 2004; Charles Popper, 2000; ISACA, 2013; ISO 38500:2008):

■   IT principles – high level statements about how IT is used in the business (e.g. scale, simplify and integrate; reduce TCO (Total Cost of Operations) and self-fund by re-investing savings; invest in customer-facing and other revenue generation systems; transform business and IT through business process transformation; strategic plan directions, PMO (Project Management Office), sustain innovation and assure regulatory compliance, etc.).

■   IT architecture – organizing logic for data analytics, applications and infrastructure captured in a set of policies, relationships, processes, standards and technical choices (e.g. cloud omputing) to achieve desired business and technical integration, standardization and cost optimization.

■   SOA architecture – service oriented architecture (SOA) is a business-centric IT architectural approach that supports the integration of the business as linked, repeatable business tasks or services. SOA helps users build composite applications that draw upon functionality from multiple sources within and beyond the enterprise to support business processes.

■   IT (enterprise) infrastructure – centrally coordinated, based on shared IT services that provide the foundation for the enterprise’s IT capability and support, which may be insourced, outsourced or both. This should follow the TOGAF guideline for enterprise architecture defined in greater detail in Chapter 2. TOGAF guidelines may also be used for the IT and SOA architecture areas.

■   Business application needs – specifying the business need for purchased or internally developed IT applications.

■   IT investment and prioritization – decisions about how much and where to invest in IT (e.g. capital and expense), including development and maintenance projects, infrastructure, security, people, keeping the lights on, etc.

■   People (human capital) development – decisions about how to develop and maintain global IT leadership, management and technical skills and competencies (e.g. how much and where to spend on training and development, industry certifications, etc.).

■   IT governance policies, processes, mechanisms, tools and metrics – decisions on composition and roles of steering groups, advisory councils, technical and architecture working committees, project teams; key performance indicators (KPIs); chargeback alternatives; performance reporting, meaningful audit processes and the need to have a business owner for each project and investment. It is important to adopt an outcomes-based approach to IT governance. This will ensure that an organization is appropriately guided in its use of IT.

1.3.1   Who benefits from effective and sustainable IT governance?

Everyone in an organization benefits from effective IT governance. According to Charles Popper (Popper, 2003; Selig, 2008), the following audiences benefit:

■   What executives get:

•   Business improvements that result from knowledgeable participation in IT decision-making from an enterprise perspective;

•   Ensures that key IT investments support the business and provide optimum returns to the business;

•   Ensures compliance with laws and regulations.

■   What mid-level business managers get:

•   Convinces senior business managers that their combined business-IT resources are being managed effectively;

•   Helps to communicate with peers in IT to ensure that business services for which they are responsible will meet commitments.

■   What senior IT managers get:

•   Obtains sponsorship and support and a clear focus on important strategic and operational initiatives;

•   Improves customer relationships by delivering results in a more predictable and consistent manner, with the involvement of the customer.

■   What program/project and operations managers get:

•   Helps in resolving issues, review progress and enable faster decisions.

■   What everyone gets:

•   Facilitates communications about how IT contributes to the business;

•   Improves coordination, cooperation, communications and synergy across the organization;

•   Less stress.

1.3.2   Value propositions from best-in-class companies on business and/or IT governance

Based on primary and secondary market research, the author identified a number of benefits attributed to major organizations relating to improved governance business and/or IT structures and environments (Selig, 2008):

■   Lowers cost of operations by accomplishing more work consistently in less time and with fewer resources without sacrificing quality (General Motors);

■   Provides better control and more consistent approach to governance, prioritization, development funding and operations (Xerox);

■   Develops a better working relationship and communications with the customer (Sikorsky);

■   Provides for a consistent process for more effectively tracking progress, solving problems, escalating issues and gate reviews (Cigna);

■   Aligns initiatives and investments more directly with business strategy (GE);

■   Improves governance, communications, visibility and risk mitigation for all constituents (Robbins Gioia);

■   Facilitates business and regulatory compliance with documentation and traceability as evidence (Purdue Pharma);

■   Increases our customer satisfaction by listening proactively to the customers and validating requirements on an iterative and frequent basis (Johnson and Johnson);

■   Reuse of consistent and repeatable processes helps to reduce time and costs and speeds up higher quality deliverables (IBM).

1.3.3   Successful IT governance is built on threecCritical pillars – leadership, organization and decision rights, scalable processes and enabling technologies

Effective IT governance is built on three critical pillars. These pillars include (Jerry Luftman, et al., 2010; Board Effectiveness Partners, 2004; Richard Melnicoff, et al., 2005; David Pultorak, et al., 2005; Ahmad and Shamsudin, 2013):

1.   Leadership, organization and decision rights;

2.   Flexible and scalable processes;

3.   The use of enabling technology.

■   Leadership, organization and decision rights - defines the organization structure, roles and responsibilities, decision rights (decision influencers and makers), a shared vision and interface/integration touch points and champions for proactive change:

•   Roles and responsibilities are well-defined with respect to each of the IT governance components and processes, including the steering and review hierarchies for investment authorizations, resolution of issues and formal periodic reviews;

•   Clear hand-off and interface agreements and contracts exist for internal and external work and deliverables;

•   Motivated leaders and change champions with the right talent, drive and competencies;

•   Meaningful metrics;

•   CIO is a change agent who links process to technology within the business, and provides the tools for enablement, innovation and transformation.

■   Flexible and scalable processes - the IT governance model places heavy emphasis on the importance of process transformation and improvement: (e.g. planning, project management, portfolio investment management, risk management, IT service management, performance management, vendor management, controls, security and audits, etc.):

•   Processes are well-defined, documented, measured;

•   Processes define interfaces between organizations and ensure that workflow spans boundaries and silos including organization end-to-end view vendors, geography, technology and culture;

•   Processes should be flexible, scalable and consistently applied, with common sense.

■   Enabling technology - leverage leading tools and technologies that support the major IT governance components:

•   Processes are supported by software tools that support the IT imperatives and components (e.g. planning and budgeting, portfolio investment management, project management, risk and change management, IT service management processes, financial, asset and performance management and scorecards, etc.);

•   Tools provide governance, communications and effectiveness metrics to accelerate decisions, follow-up and management actions.

If anyone of the above pillars is missing or ineffective, the IT governance initiative will not be effective or sustainable. In addition, over-dependence on one dimension over the others will result in sub-optimal performance.

1.3.4   Results of ineffective IT governance can be devastating

A number of negative impacts may result from poor IT governance. These include the following (IT Governance Institute, ‘The CEO’s Guide to IT Value and Risk’, 2006):

■   Business losses and disruptions, damaged reputations and weakened competitive positions (e.g. Nike lost an estimated $200 million, while running into difficulties installing a supply chain software system. Hershey attempted to install SAP several years ago and at that time, was not successful. It cost the company significant money and lots of embarrassment. Whirlpool ran into significant trouble in attempting to implement a supply chain management system, which did not provide accurate inventory counts at various inventory stages.).

■   Schedules not met, higher costs, poorer quality and unsatisfied customers.

■   Core business processes are negatively impacted (e.g. SAP and other enterprise resource planning systems impact many critical business processes) by poor quality of IT deliverables (an operational meltdown of the Southern Pacific-Union Pacific merger was traced largely to the inability to co-ordinate their IT systems).

■   Failure of IT to demonstrate its investment benefits or value propositions.

Poor regulatory compliance procedures, controls, audits and/or unethical executive business practices resulted in the demise of such companies as Enron, Andersen certified public accounting firm and the jailing of former heads of Tyco and WorldCom. Others like Parmalat and Global Crossing were also impacted by compliance issues.

The simple fact is that a poorly executed IT operation will result in the business not working. In addition, business and IT continuity and resumption plans have become critical.

1.3.5   The implications of Sarbanes Oxley Act (SOX) and other regulations on IT governance

In general, governance should be the responsibility of the board of directors and executive management in organizations. In order to develop an effective compliance program, executives must understand that compliance can and does involve more than just SOX. It can involve multiple national, international, local and industry specific regulations, as well as best practices, guidelines, frameworks and standards.

Compliance with a growing number of regulations and laws regarding financial disclosure, privacy, environmental conformance and others, developed by the SEC (Securities and Exchange Commission), FDA (Food and Drug Administration), EPA (Environmental Protection Agency), SOX (Sarbanes Oxley Act of 2002 and subsequent revisions), HIPPA (Health Insurance Portability and Accountability Act of 1996 and subsequent revisions), Basel III (regulation focused on strengthening EU banking capital liquidity requirements) and specific industry-focused regulations in banking, insurance, brokerage, healthcare, pharmaceutical and others are creating new and greater IT reporting and systems support requirements for organizations. Much like IT governance, in order to achieve sustainable compliance this complex and confusing mix can be approached most effectively as a single comprehensive compliance program that addresses people, process and technology (Howe, 2012).

Regulatory, audit and management requirements generally determine the level of management and administrative controls a company deploys. As an example, Section 302 of Sarbanes-Oxley requires CFOs and CEOs to personally certify and attest to the accuracy of their companies’ financial results. Section 404 of Sarbanes-Oxley focuses on financial controls and requires IT to be able to document and trace a company’s financials (e.g. Profit and Loss, Balance Sheet, etc.) back to the systems, software and operational processes and sources of the transactions that comprised the numbers. A company has to demonstrate a documented audit trail to be in compliance and to further demonstrate how an organization plans to sustain that compliance effort. Select implications of the Sarbanes-Oxley Act on IT include:

■   Improves financial reporting/disclosures – new requirement to report on internal controls for financial statements – Section 404;

■   Expands insider accountability – new requirements for code of ethics for executive management and protection for whistleblowers;

■   The external auditors can insist that any gaps in IT controls must be addressed before an overall opinion is reached on the effectiveness of the internal company controls;

■   Requires a backup for all “financially significant files, storage of those files and periodic restoration of backup files”;

■   Requires IT change management tracking and documentation for financial systems;

■   Requires the maintenance of logs for user access to financial databases, security logs, administrative logs, problem and incident logs as well as an independent review of the logs to detect any activities that could adversely impact financials;

■   Requires systems documentation and verification that data is properly handed off from one system to another;

■   Companies are required to disclose on almost real-time basis any information concerning material changes in its financial condition or operations – Section 409;

■   It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object’s integrity or availability for use in an official proceeding – Section 902;

■   Section 906 addresses criminal penalties for certifying a misleading or fraudulent financial report. Under SOX 906, penalties can be upwards of $5 million in fines and 20 years in prison;

■   Strengthen overall corporate governance.

In recent years, several amendments have been made to the legislation (e.g. Dodd-Frank Act of 2010; Jobs Act of 2012). These amendments attempt to ensure that the legislation is in step with the needs of economic activity and the fact that some companies may be unable to afford Sarbanes-Oxley provisions in exceptional circumstances (Mackaden, 2014).

In a growing number of companies subject to SOX, the CIO must internally certify the accuracy of the information audit trial each quarter to support the CEO/CFO SOX certifications.

There is a growing library of books, articles and documents that provide recommendations on how to deal with these regulatory and legal requirements (see Appendices B and C for references).

■  1.4   LINKING THE CEO ROLE TO ACHIEVING BUSINESS GROWTH, IMPROVING PROFITABILITY AND CREATING AN EFFECTIVE GOVERNANCE AND COMPLIANCE ENVIRONMENT

The role of the CEO and the executive management team is complex and requires a balance between sustaining growth and profitability while optimizing organizational effectiveness, managing proactive change and complying with the growing and confusing number of regulatory requirements.

Executing enterprise-wide strategic initiatives and managing effective business operations is a complex undertaking that requires effective corporate and IT governance to play a growing role in how the CEO and the executive team deploy the organization’s strategy and measure their performance.

As Michael Cinema, President and CEO of Etienne Aligner Group stated, “The board of directors is well aware of its role to oversee the company’s organizational strategies, structures, systems, staff, performance and standards. As president, it is my responsibility to ensure that they extend that oversight to the company’s IT as well, and with our growing reliance on IT for competitive advantage, we simply cannot afford to apply to our IT anything less than the level of commitment we apply to overall governance.” (IT Governance Institute, 2006.)

Figure 1.4 identifies the attributes that must be addressed for effective growth and profitability. Effective governance is a prominent component for both.

Figure 1.4 Linking the role of the CEO to the success of strategic enterprise initiatives and governance

1.4.1   How much governance is required and when is enough, enough?

There are few, if any, standards or guidelines developed that identify and clearly lay out in more detail what level of governance is required for either management or IT effectiveness by an organization. Generally, it is dependent on a number of factors such as:

■   Investment $ (capital and expense) criticality to the organization (mission critical);

■   Degree of business dependency on technology;

■   Strategic corporate value proposition and alternatives for focus (e.g. growth centric, customer centric, process centric, cost centric, etc.);

■   Management philosophy and policy (e.g. first mover versus follower);

■   Program/project and/or operational importance;

■   Complexity, scope, size and duration of initiative;

■   Number of interfaces and integration requirements with the business;

■   Degree of risk and potential impact (of doing or not doing);

■   Number of organizations, departments, locations and resources involved;

■   Customer or sponsor requirements;

■   Regulatory, legal, control and compliance required;

■   Degree of accountability desired and required;

■   Level of security required or desired;

■   Level of privacy desired;

■   Audit, documentation and traceability requirements.

Chapter 2 discusses many of the current and emerging standards, guidelines and frameworks either developed or being developed, that help to improve the overall IT alignment, execution, governance, control, strategic sourcing and outsourcing management and performance management processes.

■  1.5   Overview of the Integrated IT Governance Framework, Major Components and Prerequisites

Grounded in industry best practice research and required to plan, develop, deploy and sustain a cost effective approach to IT governance, the blended and integrated governance framework consists of five critical IT governance imperatives (which leverage best practice models and are ‘must do’s’) and address the following work areas:

■   Business strategy, plan and objectives (demand management) – this involves the development of the business strategy and plan which should drive the IT strategy and plan.

■   IT strategy, plan and objectives (demand management) – this should be based on the business plan and objectives and will provide the direction and priorities of the IT functions and resources. This should also include portfolio management investments, a prioritization scheme and identify the decision rights (who influences decisions and who is authorized to make the decisions) on a wide variety of IT areas. In addition, the CIO is responsible for the infrastructure investments such as servers, networks, systems software and management.

■   IT plan execution (execution management) – this encompasses the processes of program and project management, IT service management (including ITIL – IT Infrastructure Library), risk and threat management, change management, security, contingency plans, outsourcing, data management and others.

■   Performance management, risk management and management controls (execution management) – this includes such areas as the balanced scorecard, key performance indicators, COBIT, and regulatory compliance areas. More details on these topics are provided in Chapters 2 and 8.

■   Vendor management and outsourcing management (execution management) – since companies are increasing their outsourcing spending, selecting and managing the vendors and their deliverables has become critical.

■   People development, continuous process improvement and learning - it is critical to invest in people, knowledge management and sustain continuous process improvement and innovation initiatives.

For each IT governance imperative, a description of the key components are provided and further detailed in subsequent chapters. Step one for a new CIO is to assess the current IT governance environment and what shape IT is in.

Figure 1.5 illustrates each of the major work areas or components of the IT governance framework including a short description of each component and provides select references (Gad Selig, 2008).

Figure 1.5 Integrated IT governance framework

1.5.1   Key work breakdown areas required to plan and manage an IT Governance initiative