CEPIS unites 37 professional informatics societies over 33 European countries, representing more than 400,000 ICT professionals.

Transcription

1

2 CEPIS, Council of European Professional Informatics Societies, is a non-profit organisation seeking to improve and promote high standards among informatics professionals in recognition of the impact that informatics has on employment, business and society. CEPIS unites 37 professional informatics societies over 33 European countries, representing more than 400,000 ICT professionals. CEPIS promotes

3 UPGRADE is the European Journal for the Informatics Professional, published bimonthly at < Publisher UPGRADE is published on behalf of CEPIS (Council of European Professional Informatics Societies, < by Novática < journal of the Spanish CEPIS society ATI (Asociación de Técnicos de Informática, < UPGRADE monographs are also published in Spanish (full version printed; summary, abstracts and some articles online) by Novática UPGRADE was created in October 2000 by CEPIS and was first published by Novática and INFORMATIK/INFORMATIQUE, bimonthly journal of SVI/FSI (Swiss Federation of Professional Informatics Societies, < UPGRADE is the anchor point for UPENET (UPGRADE European NETwork), the network of CEPIS member societies publications, that currently includes the following ones: Informatik-Spektrum, journal published by Springer Verlag on behalf of the CEPIS societies GI, Germany, and SI, Switzerland ITNOW, magazine published by Oxford University Press on behalf of the British CEPIS society BCS Mondo Digitale, digital journal from the Italian CEPIS society AICA Novática, journal from the Spanish CEPIS society ATI OCG Journal, journal from the Austrian CEPIS society OCG Pliroforiki, journal from the Cyprus CEPIS society CCS Pro Dialog, journal from the Polish CEPIS society PTI-PIPS Editorial Team Chief Editor: Llorenç Pagés-Casas, Spain, Associate Editor: Rafael Fernández-Calvo, Spain, Editorial Board Prof. Wolffried Stucky, CEPIS Former President Prof. Nello Scarabottolo, CEPIS Vice President Fernando Piera Gómez and Llorenç Pagés-Casas, ATI (Spain) François Louis Nicolet, SI (Switzerland) Roberto Carniel, ALSI Tecnoteca (Italy) UPENET Advisory Board Hermann Engesser (Informatik-Spektrum, Germany and Switzerland) Brian Runciman (ITNOW, United Kingdom) Franco Filippazzi (Mondo Digitale, Italy) Llorenç Pagés-Casas (Novática, Spain) Veith Risak (OCG Journal, Austria) Panicos Masouras (Pliroforiki, Cyprus) Andrzej Marciniak (Pro Dialog, Poland) Rafael Fernández Calvo (Coordination) English Language Editors: Mike Andersson, David Cash, Arthur Cook, Tracey Darch, Laura Davies, Nick Dunn, Rodney Fennemore, Hilary Green, Roger Harris, Jim Holder, Pat Moody, Brian Robson Cover page designed by Concha Arias Pérez "Strategos" / ATI 2008 Layout Design: François Louis Nicolet Composition: Jorge Llácer-Gil de Ramales Editorial correspondence: Llorenç Pagés-Casas <pages@ati.es> Advertising correspondence: <novatica@ati.es> UPGRADE Newslist available at < Copyright Novática 2008 (for the monograph) CEPIS 2008 (for the sections UPENET and CEPIS News) All rights reserved under otherwise stated. Abstracting is permitted with credit to the source. For copying, reprint, or republication permission, contact the Editorial Team The opinions expressed by the authors are their exclusive responsibility Vol. IX, issue No. 1, February 2008 Monograph: IT Governance (published jointly with Novática*) Guest Editors: Dídac López-Viñas, Antonio Valle-Salas, Aleix Palau-Escursell, and Willem-Joep Spauwen 2 Presentation. IT Governance: Fundamentals and Drivers Dídac López-Viñas, Antonio Valle-Salas, Aleix Palau-Escursell, and Willem-Joep Spauwen 5 This is NOT IT Governance Jan van Bon 14 ITIL V3: The Past and The Future. The Evolution Of Service Management Philosophy Troy DuMoulin 16 PMBOK and PRINCE 2 for the Management of ITIL Implementation Projects Grupo de Metodologías de Gestión de Proyectos of the itsmf Spain under the coordination of Javier García-Arcal 23 Business Intelligence Governance, Closing the IT/Business Gap Jorge Fernández-González 31 IT Project Portfolio Management: The Strategic Vision of IT Projects Albert Cubeles-Márquez 37 ISO20000 An Introduction Lynda Cooper 40 COBIT as a Tool for IT Governance: between Auditing and IT Governance Juan-Ignacio Rouyet-Ruiz 44 Implementing IT Governance Ad@pting CobiT, ITIL and Val IT: A Respectful Caricature Ricardo Bría-Menéndez and Manuel Palao García-Suelto 48 What Governance Isn t Rob England UPENET (UPGRADE European NETwork) 52 From Pro Dialog (PTI-PIPS, Poland) Software Engineering A View on Aspect Oriented Programming Konrad Billewicz CEPIS NEWS 57 CEPIS Working Groups Authentication Approaches for Online Banking CEPIS Legal and Security Special Interest Network ISSN Monograph of next issue (April 2008) "Model-Driven Software Development" (The full schedule of UPGRADE is available at our website) * This monograph will be also published in Spanish (full version printed; summary, abstracts, and some articles online) by Novática, journal of the Spanish CEPIS society ATI (Asociación de Técnicos de Informática) at <

4 Presentation IT Governance: Fundamentals and Drivers Dídac López-Viñas, Antonio Valle-Salas, Aleix Palau-Escursell, and Willem-Joep Spauwen In recent years there has been much talk about IT Governance and the management of organizations in general, which has captured the interest of all those involved in ICT management. After a number of decades during which ICT has been applied in organizations in an non-harmonized manner, with different aims in each organization, there was a growing realization that, while such technologies should be at the service of business, that is not always the case. If we were talking about another functional area, such as Human Resources or Accounting, rather than ICT, we would take it for granted that the activities undertaken by those departments were aligned with the goals of the organization they belonged to, and we would not feel the need, although such a need may exist, to create reference models and methodologies to ensure that they were aligned. However, in many organizations ICT is not adequately aligned with the organization s goals, which may lead to project deviations (negative return on investment, uncontrolled expenses, etc.), or unmanaged risks. This is what has given rise to the concept we know today as IT Governance. Organizations may be thought of as a coordinated set of The Guest Editors Dídac López-Viñas is the Director of IT Services at the Girona University (Universitat de Girona UdG-, Spain), Director of ICT at the Science and Technology Park of the UdG, and consultant at UOC (Universitat Oberta de Catalunya) for postgraduate courses in technology services management. He is a graduate in Computer Science from UPC (Universitat Politècnica de Catalunya), holds a postgraduate degree in IT Management from ICT (Institut Català de Tecnologia), another in Enterprise Information Management (Infonomía, UPF), and an MBA from Las Heures (UB). Before working in university IT services he was a systems engineer at Hewlett Packard and IECISA. He has played an active role on various boards of governors of the ATI (the Spanish Association of Computer Technicians) and has collaborated with the COEIC (Col legi Oficial d Enginyeria en Informàtica de Catalunya) serving on the Dean s Council. He has been president of ATI Catalunya since January <didac.lopez@ati.es>. Antonio Valle-Salas is Project Manager at Abast Systems and is a specialist consultant in ITSM (Information Technology Service Management) and IT Governance. He graduated as a Technical Engineer in Management Informatics from UPC (Universitat Politécnica de Catalunya) and holds a number of methodology certifications such as ITIL Service Manager from EXIN (Examination Institute for Information Science), Certified Information Systems Auditor (CISA) from ISACA, and COBIT Based IT Governance Foundations from IT Governance Network, plus more technical certifications in the HP Openview family of management tools. He is a regular collaborator with itsmf (IT Service Management Forum) Spain and its Catalan chapter, and combines consulting and project implementation activities with frequent collaborations in educational activities in a university setting (such as UPC or the Universitat Pompeu Fabra) and in the world of publishing in which he has collaborated on such publications as IT Governance: a Pocket Guide, Metrics in IT Service Organizations, Gestión de Servicios TI. Una introducción a ITIL, and the translations into Spanish of the books ITIL V2 Service Support and ITIL V2 Service Delivery. <avalle@abast.es>. Aleix Palau-Escursell is a partner and Commercial Director of NETMIND, a company engaged in IT training, consultancy, and management. Aleix holds a Higher Diploma in Management Informatics, a Master in Sales Management from EADA, and a Master in ICT Management from La Salle (Universitat Pompeu Fabra). His entire professional career to date has been in NETMIND where he has led the company s commercial expansion and established it as one of the pioneers in the provision of training and consultancy services for Project Management, ITIL, and ISO In recent years he has played an active role in disseminating best practices and methodologies for Project Management and IT Service Management, collaborating with organizations such as PMI (Project Management Institute), itsmf (IT Service Management Forum), ATI, and La Salle, among others. <aleix@netmind.es>. Willem-Joep Spauwen is a senior consultant at Quint Wellington Redwood Iberia. He graduated in Business Administration at the University of Groningen, Netherlands. He has specialized in ICT Governance and added value provided by business management and organization related Information Systems. His career began in the IT Department of Royal Dutch Airlines KLM, where he played an active role in the field of IT-Business alignment. At Quint Wellington Redwood he works as an international consultant in the field of IT management. He has taken part in several projects undertaken by multinationals in the Netherlands, the USA, Mexico, and Spain. He also participates regularly in a number of international forums. <w.j.spauwen@quintgroup.com>. 2 UPGRADE Vol. IX, No. 1, February 2008 Novática

5 information systems in which human and material resources participate, but the key to successful organizations resides in the information per se and the way it is automated. Here is where the managers of organizations may question the manner in which that information is processed and the risks they are taking, both as a result of mistakes that may be made and in terms of the cost of not having that information. Meanwhile, the strategic opportunities afforded to organizations by ICT have given rise to difficulties concerning the management of those technologies. Many companies do not hesitate to describe their ICT departments as strategic or critical to their core activities while at the same time recognizing that ICT causes problems that they hesitate to describe as unmanageable. Thus ICT departments are often perceived as a pure expense rather than a value-adding resource. They are seldom considered as an opportunity, and investment in ICT is often seen as a technologists whim, always to be questioned. Part of the problem lies in the difficulty that managers have in seeing ICT in the company as part of their responsibility and in acquiring the basic knowledge required to take on that responsibility. But the CIOs are also to blame for not understanding organizations and their business objectives, for not taking managerial language on board, for not listening to the real problems of functional managers, and for focusing their goals on technology and not on the practical exploitation of that technology. We can sum up this general problem as being a difficulty to integrate and align ICT departments operations and internal organization within the greater organization and its technological goals. The problem also stems from the misconception that general managers have of ICT departments as separate and almost unrelated units due to the technological nature of their role. Companies and organizations in general need to close this gap between general management and ICT departments by applying management methodologies that will integrate ICT departments within the greater organization and align their operations with corporate goals. If this gap is to be closed, the managers of organizations need to understand that the ICT department must be managed within the context of business objectives as an inseparable part of the business, and that they need to learn ICT management methodologies. Meanwhile the managers of the ICT department should understand their mission within the context of the company s corporate goals. ICT management should not be seen as a separate goal or discipline, but rather as a cross-functional process affecting the entire organization, one in which everyone should play an active role. Many organizations are now getting the most out of ICT by understanding and managing the benefits and risks involved, by successfully aligning their ICT strategy with corporate strategy to form a single integrated strategy, by putting in place mechanisms and processes to implement that strategy, including mechanisms to monitor and control ICT systems, and by using metrics to measure ICT management performance. The set of methodologies that allows us to achieve the above objectives is what we now call IT Governance. IT Governance draws on a number of different fields (monitoring and control, audit, metrics, service management, and quality management) to create models identified by such trendy terms as ITIL, Cobit, Val IT, ISO , etc., and their pertinent certifications. This same trend has also given rise to a great deal of confusion and management by fad with regard to the concepts involved. The aim of the ensuing monograph is to bring readers up to speed with the latest trends, to show how such trends may be reasonably applied, and to try and explain just what IT Governance is, and what it is not. Novática UPGRADE Vol. IX, No. 1, February

6 Useful References on IT Governance The following references, along with those included in the articles this monograph consists of, will help our readers to dig deeper into this field. Books Koen Brand, Harry Boonen. IT Governance based on CobiT 4.0. A management guide. ITSM Library. Van Haren Publishing, ISBN: Jan Van Bon et al. IT Service Management An Introduction. Van Haren Publishing. ISBN: Office of Government Commerce. Best practice for Service Support. ITIL the key to managing IT Services. TSO Books, ISBN: / Office of Government Commerce. Best practice for Service Delivery. ITIL the key to managing IT Services. TSO Books, ISBN: / Office of Government Commerce. ITIL Small-scale Implementation. TSO Books, ISBN: / Mark D. Lutchen. Managing IT as a Business: A Survival Guide for CEOs. McGraw-Hill, ISBN: Gary Case, Troy DuMoulin, George Spalding, Anil C. Dissanayake. Service Management Strategies that Work. Van Haren Publishing, ISBN: Peter Brooks. Metrics for IT Service Management. Van Haren Publishing, ISBN: IT Governance Institute. IT Governance Implementation Guide: Using COBIT and Val IT. 2nd Edition. ISACA, ISBN: IT Governance Institute. Cobit 4.1. ISACA, ISBN: Office of Government Commerce. ITIL Version 3 Core Titles: The Official Introduction to the ITIL Service Lifecycle; Continual Service Improvement (CSI); Service Design (SD); Service Operation (SO); Service Strategy (SS); Service Transition (ST). < Associations IT Governance Institute < Information Systems Audit and Control Association < IT Infrastructure Library < Information Technology Service Management Forum < ITSM Portal < Articles ISACA. Val IT Overview < cfm?section=home&contentid=21569& SECTION= COBIT6&TEMPLATE=/ContentManagement/Content Display.cfm>. Mark Toomey. AS8015 Corporate Governance of ICT Practical Application < resources/as8015corporategovernanceofict.pdf>. Pink Elephant. ITIL v3: What You Need To Know < 94D620D F9E-82D8-CF033200E8DA/ 765/ITILv3WhatYouNeedToKnowNA1.pdf>. ITIL.org. ITIL V3-V2 Mapping < org/en/ itilv3-servicelifecycle/itilv3-v2mapping.php>. Web Sites The Val IT framework < com/valit>, < COBIT 4.1 news < Enabling IT Governance < erp4it>. History of ITIL < pages/index.html>. ITSMWatch < ITIL Training Zone < Troy DuMoulin s blog < troy>. The IT Skeptic < Serge Thorn s blog < blogspot.com>. ICT Governance < (in Spanish). 4 UPGRADE Vol. IX, No. 1, February 2008 Novática

7 This is NOT IT Governance Jan van Bon IT is a business like any other line of business, so why don t we run it as a business? If we look at other disciplines, we can find excellent examples of the application of governance principles. In the IT market, however, we seem to have forgotten to apply some of the most elementary business policies. Recent developments have shown the catastrophical effects that may follow from this. So let s have a closer look at this, and take the first elementary step by answering What is IT Governance and what is it NOT? The answer may come as a surprise. And IT Governance may be less difficult than it seemed. Keywords: Decision Making, Executive, Frameworks, Information Management, IT, ITIL, IT Governance, Management, Model Enhanced, Organization, Planning and Control, Strategic Alignment. 1 Introduction IT Governance is important to CEO s and to CIO s - but what is it, and what is it NOT? This article provides some insight into that question, using a number of modern management frameworks 2 What is IT Governance about? With the ever growing role of information in the Business, it is hard to deny that this world has become totally dependent upon information management. Many organizations wouldn t even survive for more than a few days if their information systems would discontinue. This is the first and main reason for the existence of IT Governance; you need to be in control of your information supporting systems. But there are other significant reasons as well. First of all: organizations need to make sure they comply to external regulatory requirements. We all know the examples of what happens if this is not taken care of. Enron and Worldcom have shown the consequences of bad governance and each country will have had its own local financial disasters as well. Sarbanes-Oxley 1, Basel II 2, IFRS 3, and many local regulations were the answer to this. All these regulations are aimed at ensuring that organizations are in Author Jan van Bon (Inform-IT.org) has been involved with the development and publication of a large number of IT Management frameworks. After a decade of academic research he started his work in IT in the late 1980 s, in the Netherlands. He launched the Dutch itsmf (IT Service Management Forum) in 1994 and was involved in itsmf projects ever since. He has produced more than 50 books, in 14 languages, with expert authors from all over the world, on a broad range of IT management topics <j.van.bon@bhvb.nl>. control of decision making processes and have transparent administrations. A second crucial sponsor of IT Governance is the fact that organizations are more and more managed from the perspective of the shareholder and other stakeholders. Organizations need to provide added value in terms of financial revenues or other values. Hedge funds are taking over many companies and splitting them up for better financial returns. Individual shareholders are getting organized and their influence is growing. Other stakeholders like employees and society are gaining recognition and extending their influence on the decisions and performance of an organization. These aspects illustrate some of the core elements of a generally accepted view on corporate governance, as illustrated in the CIMA (Chartered Institute of Management Accountants) Enterprise Governance Framework (see Figure 1). This framework emphasizes the role of two key issues in governance: "Conformance" and "Performance". Figure 1: The CIMA Enterprise Governance Framework. 1 "The Sarbanes-Oxley Act of 2002 is a United States federal law enacted on July 30, 2002 in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom". < 2 "Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. The purpose of Basel II, which was initially published in June 2004, is to create an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operational risks banks face" < 3 "International Financial Reporting Standards (IFRS) are standards and interpretations adopted by the International Accounting Standards Board (IASB)" < Novática UPGRADE Vol. IX, No. 1, February

8 Researchers Brown and Magill (1994) Luftman (1996) Sambamurthy and Zmud (1999) Van Grembergen (2002) Weill and Vitale (2002) Schwarz and Hirschheim (2003) IT Governance Institute (2004) Weill and Ross (2004) [5] AS8015:2005 IT Governance Definition IT governance describes the locus of responsibility for IT functions. IT governance is the degree to which the authority for making IT decisions is defined and shared among management, and the processes managers in both IT and Business organizations apply in setting IT priorities and the allocation of IT resources. IT governance refers to the patterns of authority for key IT activities. IT governance is the organizational capacity by the board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of Business and IT. IT governance describes a firm s overall process for sharing decision rights about IT and monitoring the performance of IT investments. IT governance consists of IT-related structures or architectures (and associated authority patterns), implemented to successfully accomplish (IT-imperative) activities in response to an enterprise s environment and strategic imperatives. IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization s IT sustains and extends the organization s strategies and objectives. IT governance is specifying the decision rights and accountability framework to encourage desirable behavior in using IT. The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation. Table 1: Some Definitions of IT Governance (based on [1]). 3 Definition(s) of IT Governance A Google search for the meaning of IT Governance will easily show over 50 different definitions. There still is no single authorative source that has gained the power to set any of these as the universal and official definition. Table1 presents some of the most familiar definitions. Lately, experts in the field show some convergence towards common elements in the definitions they use. Key elements in the governance definitions are the organization and the distribution of rights. Governance tends to deal with organizational elements that are accountable for decision making, in a transparent way. This immediately points out the second important element, which always is about decisions. However, governance is mostly restricted to only providing the infrastructure for making these decisions, and the decision making process itself is not included. Making decisions is generally accepted to be an aspect of management, which is separated from governance. Sohal and Fitzpatrick [2] have illustrated that in their research on governance in Australian government (see Figure 2). So there is a clear distinction between governance and management, suggesting that governance enables the creation of a setting in which others can manage their tasks effectively. Which makes IT Governance and IT Management two separated entities. Although many frameworks such as COBIT (Control Objectives for Information and related Technology) and ITIL (Information Technology Infrastructure Library) are characterized as "IT Governance frameworks", most of them are in fact management frameworks. 4 What Is Not IT Governance To be able to understand what IT Governance is all about, 6 UPGRADE Vol. IX, No. 1, February 2008 Novática

9 Figure 2: IT Governance versus IT Management (Sohal & Fitzpatrick [2]). it would be very helpful to understand what it is not. E.g., as we saw in the previous paragraph, management is not governance. To be able to understand what is excluded from the field of IT Governance, it therefore is useful to understand what IT Management is. We are discussing IT Governance and not corporate governance, which automatically means that we have to involve the discipline of Information Support in this. Information Support is widely recognized as a supporting discipline for the other Business processes. The best way to manage a domain properly, according to the principle of Separation of Concerns, is by dividing that domain into a control subdomain and a realization subdomain. That way, the realization domain does not control itself. Once applied to Information Support, this provides us with two separate responsibility domains: Information Management (IM), where information support systems are designed and controlled, and Information Technology (IT), where the information systems are built and run (see Figure 3). Two opposite forces make this interactive system work: 1) Pull. The organization controls the quality of the Information Support, based upon requirements that follow directly from the information demand of the primary Business activities. In addition, other supporting (Business) activities also influence the demand for information. The IM domain acts as the next link in the chain from the Business domain perspective. 2) Push. Based on both possibilities and impossibilities, and problems from the IT domain, the organization adjusts the set-up of the Information Support. Another widely used management paradigm (Planning and Control) explains that in each domain we should always have Strategic, Tactical and Operational levels of management (see Figure 4). This also supports an interactive system based upon two opposite forces: 1) Pull (top-down). Strategic plans and goals are specified at a tactical level and realized at an operational level. But plans and goals can be adjusted, market forces can require adjustments, new partnerships can lead to new goals, new ruling can require new preconditions, and each of these will have its effect downstream towards the operational level. 2) Push (bottom-up). The organization adjusts objectives and goals by evaluating the realization processes, adding operational experiences to the decision processes. Again this will show both the new possibilities as well as the impossibilities and problems that an organization will run into. Combining the views described above results in a 3x3 model for managing Business, Information and Technology, as expressed in the SAME Model (see Figure 5). The SAME model can be used as the "basic pattern" for managing Information Support issues in organizations. It still describes the responsibility and process elements, but once we understand the structure of this 3x3 matrix, we can use it to tackle organizational issues. Issues that can be addressed include: The organization of the Information Support. This deals with effectivity and efficiency: - Setting up responsibilities, role descriptions and RACI (Responsible, Accountable, Consulted, Informed) matrices in the Information Management domain, and allocating these to the various cells of the 3x3 matrix. - Decisions on outsourcing of one or more activities or functions, once they are understood and positioned in the 3x3 matrix. Novática UPGRADE Vol. IX, No. 1, February

10 Figure 3: Separation of Concerns in the Information Support Discipline (Van Bon & Hoving [3]). - Setting up the control organization for the management of outsourced activities or functions, managing external suppliers, setting up agreements, creating reporting policies. - Auditing the organization. Cross-references. Positioning and scoping of existing management frameworks, finding white spots in the management system. Process models. Allocating processes to specific management levels or domains, setting up process models based on the given interactions between cells in the 3x3 model, completing process models based on the 3x3 model interactions. Although the model can be used to tackle lots of management issues, it is quite useful as a base for discussing governance issues. After all, if IT Governance is about the organization of rights and decisions, we could now focus on the allocation of these in the 3x3 matrix. The matrix provides us with a structured model of responsibilities and activities. Allocating these to a specific organization actually comes down to determining your IT Governance system. Example 1: Organizing the IM Domain Note that the dimension in the SAME Model is process (managing Information Support activities, responsibilities, tasks) and not organization. If we want to apply the common factors of the above definitions of IT Governance, we will thus have to allocate the process domains of the SAME Figure 4: The Planning and Control Paradigm for Strategy, Tactics and Operations (Van Bon & Hoving [3]). 8 UPGRADE Vol. IX, No. 1, February 2008 Novática

11 Figure 5: The Strategic Alignment Model Enhanced (Van Bon & Hoving [3]). model to an organizational structure. We can do this by taking the organizational dimension as an overlay over the process dimension in the SAME model. And since organizations tend to differ in their organizational models, we can find many different solutions for that. A few simple examples for the organizational allocation of Information Support responsibilities are described in Figure 6. This highlights the question of where the responsibility for IM and IT is positioned in the organization, which typically is an IT governance issue. Basically this comes down to a question of where the IM domain is positioned: a) Stuck-in-the-middle. IM is positioned at equal distance from the Business and the IT domain, in many instances emblematic for organizations trying to implement IM as a liaison function. The result is fairly often an IM function "stuck in the middle": missionaries talking to a brick wall at the Business side, renegades for the Technology side, and peacekeeping troops in the middle, missing a clear identity in their own mindset. In this scenario, IM will be an independent Demand Organization, loosely coupled with the Business. b) As an extension of the IT function. The IM responsibilities of the organization have largely been delegated to the Technology domain, where the IT services are produced. Although still often found in practice, this approach is not recommended: management tends to be expressing itself in terms of technology, not in terms of Business values. And the information service provider is now controlling itself, which leaves the Business vulnerable in its relationships Figure 6: The Position of the Information Management Domain, between Business and Information Technology in the SAME Model (Akker [4]). Novática UPGRADE Vol. IX, No. 1, February

12 Figure 7: Service Contracting in the SAME Model. with suppliers. The organization has set IM at a distance, making it highly vulnerable to misalignment between Technology and the Business. c) As an extension of the Business function. Here, information is considered to be a Business asset, and the relationship with Technology can be a contractual one: IT is a supportive function, to be managed as such, and conceivably governed via outsourcing. Moreover, IM is a shared Business responsibility, while IM as a separate function is only accommodating and stimulating, but never leading. IM and Business responsibilities are tightly bound and IT can be regarded as a replaceable commodity, to be provided by any adequate supplier. Example 2: Service Contracting If the Business wants to contract specific information support, it will contract the IM domain for the provision of information services. This agreement can be called an Information Services Agreement (ISA). The IM domain will then have to contract an IT service providing function, to provide the technology elements of the information services. That agreement will be between IM and IT, and can be called an IT Services Agreement (ITSA), also known as the Service Level Agreement (SLA) in ITIL (see Figure 7). Example 3: Organizing a Service Desk The IM domain will have to provide operational support for the user in the Business domain. This refers to the functionality and the actual delivery of the agreed information services and is aimed at supporting the use of these information services by the Business. The IT domain will have to provide Figure 8: Example of an Integrated Service Desk, as an Organizational Layer over the SAME Framework. 10 UPGRADE Vol. IX, No. 1, February 2008 Novática

13 Decision Making Roles, Groups Executive Board Executive Manager Business Board Business Manager Unit manager IT Board Committee Advisory Board Task force Chief Information Officer IT Manager Service Manager Employee Description Decision making board of managers Single decision making person Decision making board of managers, managing a single Business domain Single decision making person, managing a single Business domain Single decision making person, managing a single unit, e.g. of an expert domain Decision making board of IT involved managers, usually reinforced with experts Permanent decision making board of experts, handling a single expertise, knowledge domain, area, process of shared interest Delivery of input to support decision making Temporarily decision making board of experts, handling a single task usually of shared interest Highest ranking decision making manager in the Information Support domain Highest ranking decision making manager in the IT domain Decision making representative, managing a service or service domain on behalf of the IT department Empowered employee that is authorized to take certain (usually process related) decisions Table 2: Examples of Organizational Decision Making Structures (based on [1]). the operational support for the user, under the control of the IM domain, but the IM domain itself will have to provide the support for functionality and specification issues. For both types of support activities a Service Desk unit may be installed. Instead of creating two separate Service Desks, an organization may decide to create just one integrated Service Desk (see Figure 8). This Integrated Service Desk should then be prepared and educated to solve both information issues as well as IT service issues. Example 4: Position of Frameworks An organization wants to use widely accepted frameworks for its management approach. It already has ITIL V2 largely in place. The organization now considers the adoption of ITIL V3, and wonders whether this will cover the entire Information Support domain. The answer is "no". Both ITIL V2 and V3 are largely located in the Technology domain and cover only some minor aspects of the IM domain. The organization will have to adopt additional frameworks to cover the entire Information Support domain (see Figure 9). 5 So What Is IT Governance Based on the previous considerations, a recommendable definition for IT Governance would be: "IT Governance is the assigning of accountability and responsibility and the design of the IT organization, aimed at an efficient and effective use of IT within the Business processes, and conforming to internal and external rules." This definition is built on the following terms: Accountability: the principle that individuals, organisations and the community are responsible for their actions Novática UPGRADE Vol. IX, No. 1, February

14 Figure 9: An Example of Positioning Management Frameworks in the SAME Framework. and may be required to explain them to others. Responsibility: to be entrusted with or assigned a duty or charge. Organizational design: the structure and relations between departments, the grouping of tasks, and the flow of work in organizations. Business Processes: the workflows within a company and the processes involved in inter-company transactions. Rules: policies and principles guiding action. And a recommendable definition of management would be: "Management is making decisions within a set of assigned accountabilities and responsibilities and for a clearly defined organizational area." Allocating the responsibilities and rights to an organizational management system, as explained in the above examples, is typically the kind of issue that is handled in IT Governance. Other issues that IT Governance is concerned with could be: Ensure authority and responsibility in IT: How do I stay in control? Which (in)formal planning and reporting shall be required? Who shall determine budgets? Shall we have a centralized or a distributed organization? Ensure IT complies with regulatory authorities: Which body shall consider the relevant and required regulations and certifications? How shall risks be managed? Ensure IT is organized and ready for change: How shall the IM and the IT organizations be organized? Hierarchy, project-based, flat, team-based, etc? Which remuneration policies shall be applied? Bonus rules, performance related salaries, variable salaries, annual raise, etc? How shall competences be managed and developed? Ensure IT is aligned to fit Business/organizational Business Business Pressure Conformance IT Govern Business Needs Performance Direct Monitor Plans Policies Accountability Responsibility Performance of ICT Conformance of ICT IT Projects IT Operations Figure 10: AS8015, Corporate Governance of Information and Communication Technology. 12 UPGRADE Vol. IX, No. 1, February 2008 Novática

15 needs: How shall an optimal fit between IT and Business be realized? How do we deal with SLAs and service catalogues? Who decides on Service Levels? Ensure IT delivers value for money: How shall performance be measured? Shall IT performance be benchmarked? Which cost model shall be applied? IT Governance can also be concerned with issues like Leadership, Culture, Risk management, Policies and procedures, Financial management, IT architecture, Procurement and Sourcing. 6 The Organizational Aspects of IT Governance If IT Governance is about organizing the decision making structures, and the Information Support activities should then be managed in these structures, the last question would be: "what organizational structures could be applied in IT Governance?" These organizational structures can vary from organization to organization. Table 2 shows a number of possible decision making roles or groups: The elements from Table 2 can now be used to build an organization s governance structure. A number of control loops should then be designed to make sure that the framework is a comprehensive system that controls itself. This means that reporting mechanisms should be added, as well as communication protocols, policies and standards. When building this governance framework for your organization, both aspects of good governance (conformance and performance) should continually be addressed, to make sure that the system will realize its primary goals. Once completed, the relevant regulations and standards can be used to test the system and continual improvement programs can be planned to enhance the organization s performance. will create the desired result: conformance to internal and external regulations and standards, and optimized performance for adding value to the stakeholders of the organization. The frameworks that are availlable to support this are largely limited to the Management domain. Even the only available local standard for IT Governance is largely dealing with Management issues instead of IT Governance issues. It may take a while before a true IT Governance framework will become available. References [1] ITGA. Work from the IT Governance Association, The Netherlands, not published, [2] A.S. Sohal, P. Fitzpatrick. IT governance and management in large Australian organizations. International Journal of Production Economics, 75, , [3] J. van Bon, W. Hoving. Strategic Alignment Model Enhanced. BHVB white paper, [4] R. Akker. In J. van Bon (ed.). Frameworks for IT Management, Van Haren Publishing for itsmf, [5] P. Weill, J. Ross. IT Governance: How Top Performers Manage IT for Superior Results, Harvard Business School Press, ISBN: A Standard for IT Governance As explained before, frameworks like COBIT and ITIL are management frameworks, not IT Governance frameworks. This also means that ISO/IEC also is a management standard and not a governance standard. There is only one standard available for IT Governance, which is the Australian standard AS8015 (see Figure 10). This standard is currently under investigation by the ISO organization to see whether it can be adopted or embedded in the ISO/ IEC standard. If that would happen, the resulting standard would be a mix of governance and management elements. The AS8015 indeed contains a number of control loops, as required. It also emphasizes the basic structures of Conformance and Performance. However, it is short on specifications of the organizational issues that IT Governance should be about, and instead it deals with quite a few straightforward management issues. 8 Conclusion IT Governance basically comes down to the question "who rules what". Management should then work within the agreed space. If Management does that correctly, this Novática UPGRADE Vol. IX, No. 1, February

16 ITIL V3: The Past and The Future. The Evolution Of Service Management Philosophy Troy DuMoulin Although the contribution made to ITIL (Information Technology Infrastructure Library) by version 3 over version 2 cannot be considered as a radical change in direction, it does represent a step forward towards making ITIL not only a frame of reference for operational matters but also a valuable IT Governance tool. Rather than rendering the previous recommendations obsolete, the new version places them within a broader context. This article stresses the importance of this step forward and describes its most significant implications. Keywords: Governance, ITIL, Process Integration, Product Lifecycle, Value Chain. 1 Introduction It has often been said that the only constant is change! In the dynamic world we live in, this is true of all organic things and ITIL (Information Technology Infrastructure Library) is no different. From its humble beginnings as an internal UK government initiative, to its growth and adoption as a global best practice and standard for Service Management, ITIL has taken many steps along the road of progress and maturity. The ITIL Refresh Publications & Newsletters published by the TSO (The Stationery Office) have given us some interesting insight into the future of IT Service Management (ITSM) as documented by ITIL. You will find links to these documents on Pink Elephant s ITIL v3 - Information Central webpage < It is my view that ITIL v3 is definitely taking a major step in the right direction. We can observe a glimpse of this from Table 1 that was published as part of the ITIL Refresh Newsletter, 1st Edition, Autumn I would like to call your attention to that table. 2 Key Evolutions in ITSM From Table 1, we can identify and interpret some key evolutions in ITSM Philosophy. Author Troy DuMoulin is Director of Product Strategy and Executive Consultant at Pink Elephant. He is an experienced Executive Consultant with a solid and rich background in business process re-engineering. Troy holds the Management Certificate in ITIL and has extensive experience in leading Service Management programs with a regional and global scope. His main focus at Pink Elephant is to deliver strategic and tactical level consulting services to clients based upon a demonstrated knowledge of organizational transformation issues. Troy is a frequent speaker at ITSM events and is a contributing Author for the ITIL "Planning to Implement IT Service Management Book." He also works with ISACA on COBIT v4 development < pub/0/235/148>. 2.1 Alignment vs. Integration For many years, we have been discussing the topic of how to align Business and IT objectives. We have done this from the assumption that while they (business and IT) shared the same corporate brand, they were somehow two separate and very distinct functions. However, when does the line between the business process and its supporting technology begin to fade to a point where there is no longer a true ability to separate or revert back to manual options? If you consider banking as an example, Financial Management business processes and their supporting technologies are now so inter-dependent that they are inseparable. It is due to this growing realization that the term alignment is being replaced with the concept of integration. 2.2 Value Chain Management vs. Value Service Network Integration When reading ITIL v2, you get the perception that the business and IT relationship is primarily about a business customer being supported by a single internal IT Service Provider (Value Chain Management). Little acknowledgement or guidance is provided about the reality of life never being quite that simple. Today s business and IT relationship for service provision is much more complicated and complex than the concept of a single provider meeting all business needs. We need to consider that yes, there are internal IT functions, but some are found within a business unit structure where others are providing a shared service model to multiple business units. Add to this the option of using different external outsourcing options or leveraging software as a service model and what you end up with is what ITIL v3 refers to as an Integrated Value Service Network. 14 UPGRADE Vol. IX, No. 1, February 2008 Novática

17 ITIL v2 Business & IT Alignment Value Chain Management Linear Service Catalogues Collection of Integrated Processes ITIL v3 Business & IT Integration Value Service Network Integration Dynamic Service Portfolios Service Management Lifecycle Table 1: Key Evolutions in ITSM Philosophy. 2.3 Linear Service Catalogues vs. Dynamic Service Portfolios While ITIL has always been referred to as an IT Service Management Framework, the primary focus up until now has been on the ten Service Support and Delivery processes. In previous versions of ITIL, the concept of a service has almost been an afterthought or at least something you would get to later. Consider that in ITIL v2 the process of Service Level Management has, as one of its many deliverables, a Service Catalogue which can be summarized from the theory as a brochure of IT Services where IT publishes the services it provides with their default characteristics and attributes or Linear Service Catalogue. In contrast to this, a Dynamic Service Portfolio can be interpreted as the product of a strategic process where service strategy and design conceive of and create services that are built and transitioned into the production environment based on business value. From this point, an actionable service catalogue represents the published services and is the starting point or basis for service operations and ongoing business engagement. The services documented in this catalogue are bundled together into fit-for-purpose offerings which are then subscribed to as a collection and consumed by business units Pink Elephant. All rights reserved. ITIL is a Registered Trade Mark and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the US Patent and Trademark Office. 2.4 Collection Of Integrated Processes vs. Service Management Lifecycle Based on publicly available information, we know that the ITIL v3 core books are structured around a Service Lifecycle. This new structure organizes the processes we understand from ITIL v2 with additional content and processes we are waiting to hear more about within the context of the life span of IT Services. From this observation, we can see that the primary focus is shifting from process to IT Service. While processes are important, they are secondary and only exist to plan for, deliver and support services. This moves the importance and profile of the Service Catalogue from being an accessory of the Service Level Management process to being the corner stone of ITSM. As organizations evolve from a technology focus to a service orientation focus, these core changes to ITIL provide the context and ability to support this emerging reality. Novática UPGRADE Vol. IX, No. 1, February

18 PMBOK and PRINCE 2 for the Management of ITIL Implementation Projects Grupo de Metodologías de Gestión de Proyectos of the itsmf Spain under the coordination of Javier García-Arcal In this article we analyse a compilation of tools and techniques produced by a working group coordinated by itsmf Spain with a view to providing professionals involved in projects implementing ITIL best practices with a range of project management tools and techniques (based on PMBOK and PRINCE2 methodologies) to facilitate project management and ensure a successful implementation of ITIL. Keywords: Best Practices, CSF, Implementation, ITIL, ITSMF, PMBOK, PRINCE2, Project Management, Success Factor, Tools. 1 Introduction The purpose of this article is to develop and disseminate tools that will ensure the successful execution of ITIL implementation projects and help the parties involved meet the challenge of implementing ITIL. First we will give a brief explanation of the acronyms used to refer to these methodologies: ITIL (Information Technologies Infrastructure Library) is a set of best practices for the administration and management of IT services in terms of the people, processes and technology employed, developed by the UK government agency, the OGC (Office of Government Commerce). ITIL provides recommendations and guidelines for IT management aimed at achieving alignment between technology and business. The Project Management Body of Knowledge (PMBOK ) is a compilation of knowledge acquired in project management. It belongs to the PMI, Project Management Institute, whose members are professionals from various fields, such as law, finance, etc. The PMI encompasses both traditional and more innovative practices. PRINCE2, on the other hand, is a structured method of project management which seeks to develop the organization, administration, and control of projects based on project management best practices. In order to implement ITIL in an organization or department we first need to make a study of potential advantages and how those advantages can be gained by the end of the project. The work performed by our group has resulted in an eminently practical approach for ITIL implementation projects. 2 Work Methodology A work methodology based on brainstorming was designed and it was decided to apply decomposition techniques to the analysis of information sources. In addition to brainstorming, we used information from PMBOK, PRINCE2, and the ITIL V2 and V3 books, as well as the know-how of each member of the group. In the first stage of the work we established the critical Authors Grupo de Metodologías de Gestión de Proyectos (Project Management Methodologies Group) of the itsmf (IT Service Management Forum) is a multidisciplinary working group which was convened following a directive from the standards committee of itsmf Spain to create a line of research into project management methodologies applied to the management of ITIL implementation projects. It is coordinated by Javier García-Arcal. Javier García-Arcal is a Doctor of Engineering by the Universidad Politécnica de Madrid. He works as a consulting manager at IT Deusto and as a lecturer in Project Management at the Escuela Técnica de Ingeniería Informática and at the Escuela de Ingeniería Técnica Industrial of the Universidad Antonio de Nebrija. He has collaborated in the review of the books ITIL V3 Service Operation and Fundamentos en ITIL V2. Javier has pursued his career in process consulting, defining ITIL processes for major multinationals in the Consulting, Retail, Telephony, and Public Administrations sectors. He has worked in twelve countries in IT Governance coordination, administration, and project management, in software development in IT departments of various consulting firms (Secuenzia, Citi Technologies, etc.), and in service companies such as Sermicro, and multinationals such as Chep and Telefónica I+D <javier.arcal@gmail.com>. success factors for an ITIL implementation, while in the second stage we analysed each of the tools and techniques proposed by PMBOK and PRINCE2 with a view to seeing just how useful these tools and techniques were for implementing ITIL. In the third stage of our work we considered how to maximize the usefulness of the results for those involved in ITIL implementations. It was decided to use a graphical method based on hierarchical relationships similar to the one used by the metrics group of itsmf Spain [1]. 3 Results We go on to show some of the results obtained from this study for both PMBOK and PRINCE2. We have explained the methodology used to obtain results; now we will explain the content of each "tree" in which these results are represented, and show how to use these trees to extract practical and useful information for the management of ITIL implementation projects. 16 UPGRADE Vol. IX, No. 1, February 2008 Novática

19 Figure 1: Tree for PMBOK-CSF 10 Having the necessary resources and budget. The analysis of the trees can be performed bottom-up, from the tool to be used to the CSF (Critical Success Factor) on which it impacts, or top-down, from the CSF that we want to improve/reach to the tools. The top-down method will be used to give greater emphasis to the tools used and to make it easier to trace the process through the tree. As we can see, level 1 is the CSF itself which in turn is related to all the PMBOK stages forming level 2 of the tree. Each PMBOK stage has a number of activities which may have or suffer from some degree of dependence with the CSF which it is evaluating. Only those activities which, in the course of our work, have been seen to contribute added value in the achievement of the CSF in question will appear on the tree. These activities comprise level 3 of the tree. Finally, on level 4 will be all the tools, techniques, inputs and/or outputs related to a PMBOK activity which is useful to the CSF and may also contribute to the success of the CSF. Figure 2: RACI Matrix. Novática UPGRADE Vol. IX, No. 1, February

20 Figure 3: Work Breakdown Structure. Therefore, if we wish a certain CSF to be achieved, we can use the tools that figure in the tree, concentrating on those that are easier to use in our project or those that most benefit our project. If we apply this analysis to CSF 10, "Having the necessary resources and budget", the purpose of which is to ensure that the team carrying out the project has all the resources necessary to complete it successfully, we get the tree shown in Figure 1. To achieve this CSF the following tools can be used, among others: RACI, WBS, and Pareto diagrams. The horizontal rows of the RACI matrix set out in Figure 2 show project activities while the vertical columns represent all the people involved in the project. The idea is to obtain detailed knowledge of each person s degree of involvement in each activity and this is done by assigning each person a role in each task he or she is involved in. The roles defined for a RACI matrix are: The WBS or Work Breakdown Structure shows how project outcomes are subdivided into work packages (see Figure 3). This representation provides us with a clear idea of what outcomes the project will produce. The last tool that can be used to achieve this CSF is the Pareto Diagram, which is designed to show any defects that have been produced by grouping them together according to their origin/cause (see Figure 4). This technique allows us to identify potential deviations in the success of the project before they occur, or as soon as possible after they appear. Figure 4: Pareto Diagram. 18 UPGRADE Vol. IX, No. 1, February 2008 Novática