Strategy and Tactics to Achieve Effective IT Governance

Transcription

1 Strategy and Tactics to Achieve Effective IT Governance By Kerry Litten BT Senior Principal BT Compute Services that adapt

2 Introduction IT governance is currently a hot topic and has been for some time. A consensus has formed that it should be an important area of focus for any organization interested in increasing the business value derived from their investment in IT. But what is meant by the term IT governance? Is it a process, and if so, who performs it? In the book entitled IT Governance by Peter Weill and Jeanne W. Ross, IT governance is initially defined as Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT. However, as the book goes on to acknowledge, IT governance is more than this: Decisionmaking structures are the first step in designing IT governance. But effective governance is as much actions as decisions. A number of components to IT governance are needed, including: A process aspect that takes into account the need for decision- making and decision-support activities to be done in a structured and consistent way Clearly defined criteria for making decisions Well defined responsibilities and accountability assigned to the groups and individuals who are involved in making the decisions All organizations that use IT to support their businesses perform some form of IT governance. The purpose of this white paper is to provide a step-by-step guide to achieving effective IT governance by improving existing mechanisms, which are often informal, not clearly defined and lacking in transparency (i.e., the basis for decisions taken is not always clear). The first section provides a simple definition of what IT governance is, why it s important, its scope and who is responsible. The following sections present the three strategic steps and supporting tactical actions that will achieve effective IT governance. The What, Why and Who of IT Governance What it is IT governance can be simply defined as: The process of identifying what IT should do in terms of new initiatives (e.g., new/amended services or applications) improving/maintaining current performance (e.g., improving security, increasing capacity or improving resilience) Allocating resources (primarily money and staff time, but also assets and facilities) to achieve the selected goals IT governance is separate from the day-to-day management of IT services and projects in that IT management decisions are made and activities are performed in order to carry out the IT strategy defined by IT governance. These activities must adhere to the budget set by IT governance, or if they do not, they must be escalated as a request for exception to secure additional resources using the IT governance process. Why it is important Effective IT governance is needed to ensure that IT is aligned with the business strategy and that appropriate investments are being made in IT. It is not just a one-time or occasional activity. A key part of IT governance is to continually monitor the performance of IT from a business standpoint and to adjust priorities or investment as often as necessary to maximize its contribution to the achievement of business goals. There are three interrelated IT decision areas that IT governance needs to address : IT Principles, e.g. Info Security, Regulatory Compliance or Outsourcing Selected IT Functions IT Architecture (organizing logic for data, applications and infrastructure) Prioritization of requirements and investment in new or changed: IT Infrastructure (includes physical infrastructure and staff and services provided by third parties) Business Applications The way that these decision areas influence one another is depicted in Figure 1. Who should participate? Involving business managers with IT management in the IT governance process is absolutely crucial since IT is funded and exists to provide services to the business. The level of involvement will vary depending on the IT governance decision area. Business managers are likely to be more interested in decisions about IT principles (which shape the way that IT services and supports business processes) than those about IT Architecture (which require technical input, but should nevertheless be driven by business applications and access requirements). Organizations choose different decision-making structures and ways of assigning responsibility and accountability between IT and business managers. This is discussed further inthe following section.

3 Strategy for Effective IT Governance Step 1: Define the decision criteria In the preceding section, we described IT governance as the process of making high-level decisions about IT and allocating the resources needed to implement these decisions. The first step in an implementation strategy consists of defining the criteria by which these decisions should be made. The IT Governance Institute defines the following five focus areas for IT governance: Strategic Alignment Value Delivery Risk Management Resource Management Performance Measurement The first three focus areas address the purpose of IT governance, which is to 1) optimize the alignment between business strategy and IT, 2) maximize the business value delivered by IT and 3) ensure that IT-related risks, including compliance requirements, are fully understood and effectively managed. These three therefore provide the generic criteria for IT governance decisions. Resource management addresses the allocation of resources to implement decisions, and performance measurement provides essential feedback on the outcome of IT governance decisions. Before each decision is made, it is necessary to ask to what extent that decision improves alignment, value delivery or risk management. Metrics need to be identified that can be used to assess the likely effect of IT governance decisions and then measure their outcome against these goals in a consistent and clear manner. The process of identifying suitable metrics is a valuable exercise as it addresses fundamental questions about the use of IT within the organization and the way its performance will be measured in business terms. Metric identification should be conducted jointly by representatives from IT and the business, which can improve mutual understanding and trust. Let us briefly consider each of the goals in turn. (More detail on metrics is available in a separate white paper from which some of the following information is drawn.) Strategic alignment IT policies and standards, particularly those that are derived from IT principles, play a key role in ensuring that the activities of the IT organization are aligned with the business strategy. Therefore, compliance with these policies and standards is an important means of maintaining that alignment. Metrics that specifically measure compliance with IT policies and standards are required. New alignment initiatives require a different approach in that their value must be evaluated by looking at the effect of both proceeding and not proceeding; these initiatives should be assessed as having a high, medium or low impact in enabling the achievement of strategic business goals. Value delivery In most organizations, IT services do not directly generate revenue. However, they enable the organization to create business value by generating revenue through business processes that enable development of new products, acquisition of new customers, etc. Therefore, the business value of IT services is the way that the services support the business processes. Some of the metrics that can be used to measure this business value include service availability and reliability, effectiveness in meeting business requirements [measured using Key Goal Indicators (KGIs) for IT services and processes], process efficiency and efficiency in the use of resources (cost control). Business processes still need to evolve and change, however. IT can add significant value by responding to and enabling these changes and in some circumstances actually driving them. Metrics that can be used to measure the capability of IT to deliver this value include: Speed at which IT projects can be designed and costed in response to new requirements Completion of projects on-time and within budget How quickly service levels can be changed and stabilized at these new levels How frequently IT proposes new or enhanced business Processes Risk management It is not practical to measure the effectiveness of risk management by looking at the frequency at which risks actually cause significant events that affect IT services, simply because such events are (one hopes) very infrequent. However, the level of compliance with risk management activities within operational IT Information Library (ITIL) processes such as Security, Availability and IT Service Continuity Management provides a good indication of how well risk management is being applied. In addition, it is possible to make an assessment of the effectiveness of the risk management controls, even if it cannot be directly measured. This is best accomplished by assessing these controls against a standard such as ISO (actually a series of standards concerning information security) or an industry-standard IT management framework such as Control Objectives for IT (COBIT).

4 Step 2: Decide who will make the decisions The purpose of this step is to formalize IT governance decisionmaking rights and associated organizational structures. In the first section we said that both IT and business management should be involved. There is no single best way to achieve this outcome. The way in which this is done needs to match the culture of the organization as well as the way in which IT is used in the business. In the book IT Governance, Peter Weill and Jeanne Ross identify five different styles (they call them archetypes) of sharing (or not) decision-making power as shown in Table 1. Table 1: IT Governance Styles Step 3: Define the IT governance process Having defined how IT governance decisions should be made and who should make them, the final strategic step is to bring these together as a process. What should this process look like? First of all it should be responsive to changes in business requirements and external factors (such as changes in compliance regulations). Good communication between IT and the business and the willingness for IT to be driven by business needs rather than internal priorities is paramount. Secondly, the IT governance process must monitor the performance of IT in business terms and drive performance improvement where it is needed. IT governance needs to be both reactive and proactive. The reactive role is to analyze and respond to inputs such as: New initiatives or changes in strategy from business units Changes to compliance regulations from external bodies Proposals for new or changed business applications Proposed changes to the IT infrastructure The proactive role measures IT performance and identifies ways in which it can be improved, including: Different styles are often used for the various IT governance decision areas (IT Principles, IT Architecture, etc.). Each organization should identify the style that suits it best for each decision area. Once this has been done, decisionmaking structures can be created, matching the representation in each structure to the chosen style and scope of decision-making responsibility. Examples include: Deploying new technology that offers better price/performance or new features that either better support business processes or enable completely new ones to be developed Improving efficiency by increasing the utilization of IT resources (without adversely affecting service levels) Modifying roles, responsibilties or organizational structures within the IT function An example process is shown in Figure 2. IT Service Management Governance Committee Project Portfolio Management Office (PPMO) IT Architecture Committee InfoSec Council In addition to defining the responsibility and accountability of each decision-making structure, it is also important to specify this for the individual roles that comprise it.

5 This example shows an IT governance process that consists of six sub-processes labeled GOV.1 GOV.6. The IT service management processes that interface with IT governance are shown at the bottom of the diagram together with the primary entities with which it interfaces (regulatory authorities and business units). GOV.1 Communication & Interfacing is the sub-process concerned with ensuring good communication between IT, the business units and other sources of information needed by IT governance. GOV.2 GOV.4 are sub-processes that are used to analyze new initiatives and performance data. This analysis provides crucial input to the decision-making process. If it is not done or not done effectively, decisions may be either delayed or based on gut feel rather than analysis of their merits. Therefore, it is important to ensure that appropriately skilled staff are assigned to this activity, and that they are allocated sufficient time to perform the analysis. GOV.5 Manage Resources is the sub-process in which the decisionmaking, consisting of prioritization, acceptance or rejection of initiatives and allocation of resources to these takes place. GOV.6 Performance Measurement is concerned with monitoring the performance of IT including compliance with processes, assessment of controls and the status of projects.

6 Tactics to Achieve Strategy Step 1: Create/Review and implement principles IT principles play an important role in ensuring that an organization has the kind of IT services needed to support its business activities or, to put it another way, to ensure that the Information Technology provided is aligned with the business strategy. Principles should be defined and documented using the IT governance process, for example: Application development is out-tasked to a small number of trusted third parties The IT architecture should enable rapid scaling up or down of IT services capacity Procedures must demonstrably minimize risk of noncompliance with external regulations In order to be effective, however, principles need to be implemented, which is done through policies and standards. A familiar example of this is provided by security policies and standards. Each principle should be reviewed to identify the specific policies and standards needed to enforce it. For example, a policy derived from the first principle in the above list might state: Application development contracts may only be placed with companies on the approved list. A standard might be defined for the specific criteria that a company would need to satisfy in order to gain approval. Step 2: Define/Review IT architecture and enforce it As illustrated in Figure 1, IT architecture is influenced by IT principles and application requirements. If no architecture exists, one should be defined using the IT governance process. If there is an existing architecture, it should be reviewed regularly using the same process in order to ensure that it still supports IT services that are aligned with the business strategy. In a similar fashion to IT principles, compliance with the chosen IT architecture should be enforced through the use of appropriate policies and standards, which should be published so that anyone who may need to use them will be aware of their existence. Many organizations have chosen to create an IT Architecture Committee that has the responsibility to ensure that policies and standards are properly integrated and are regularly updated to reflect changes in technology. This committee is also responsible for deciding whether and when exceptions to policies or standards are acceptable. Examples of policies include: All customer-facing applications will be hosted in both the live and backup data centers Wireless networks will be deployed within all locations for end user access to applications Application firewalls will be used to protect against the inclusion of confidential data in Instant Messenger conversations Step 3: Ensure that IT services and processes are governable As we have discussed, IT governance is about making decisions, and to ensure that good decisions are made, good data is needed on which to base them. Analysis of the performance of IT in business terms relies on the ability to measure the key metrics identified in Step 1 in Strategy. This information enables resources (funding and staff time) to be focused on the services and processes that need them the most. Proposed changes to the infrastructure must be accompanied by information about why they are needed and what their effect will be. For example, a proposal in the Capacity Plan to increase the bandwidth of a network link should be based on an analysis of current utilization, the anticipated change in network traffic and the way in which additional bandwidth would accommodate this change. Therefore, an important step in implementing effective IT governance is ensuring that the IT environment is actually governable. This means that the performance of IT services is measured and reported upon and that the resources used to deliver these are deployed via consistent operational service delivery and service management processes. Although some organizations still choose to design their own IT processes, the quickest and most effective way to achieve consistent processes and measurements is to deploy a standard IT service management framework such as ITIL. The ITIL process architecture developed by BT from the official ITIL reference material published by the UK s OGC (Office of Government Commerce) is shown in Figure 3. An approach for rapidly implementing ITIL best practices is described in the white paper Five Steps to Implementing ITIL.

7 Step 4: Set targets The measurement of IT performance is a key part of the IT governance process. The final tactical step is to set targets for the performance of IT service management processes and the metrics defined in Step 1 of Strategy. These targets set performance objectives in terms of improvements in alignment, value and the effectiveness of IT-related risk management. Achievement against them enables IT management to determine whether they are meeting business expectations. However, it is important to recognize that the introduction and use of targets is not something that can be done without the support and agreement of everyone involved in the provision of IT services. IT performance measurement and the introduction of a formal IT governance process require a cultural change within the IT organization as well as the business units that use IT services. This means placing more focus on the effect that IT has on the business so that everyone involved is keen to strive for achievement of the targets rather than seeing them as some kind of mechanism designed to control their behavior. The role of IT governance is an enabling one, and for it to be effective, IT staff must see it in this light and value it for what it enables them to collectively achieve. Failure to meet process targets is initially something to be investigated by the IT staff involved in performing the process and the process owner. If it is discovered that there is an issue with process compliance or a problem with the process itself, the group should identify and implement suitable corrective action. However, if the reason for the failure is identified as a shortage of resources, the issue should be escalated to IT governance. Questions, such as what additional resources would be required to meet the target(s) and whether the target(s) have been set too high, should be discussed and a decision made as to how to resolve the gap either by adding resources or gaining agreement to lower targets. Investigation into the failure to meet overall targets set for alignment, business value or risk management should be driven by the IT governance process itself. If a project or initiative approved by IT governance is failing to deliver the expected benefits, its priority and use of resources should be carefully reviewed and adjustments made where necessary.

8 Conclusion This white paper attempts to dispel some of the mystery surrounding IT governance. BT believes that implementing effective IT governance is not such a daunting task as it might first appear when reduced to the strategic and tactical steps described. By following these steps, any organization large or small can make steady progress toward a governance process that continuously works to optimize the value that IT delivers to the business. Our experience and success in using this methodology allows us to provide guidance and practical help to clients wishing to achieve truly effective IT governance. About BT BT is one of the world s leading providers of communications solutions and services operating in 170 countries. Its principal activities include networked IT services, local national and international telecommunications services and higher-value broadband and Internet products and services. BT consists principally of four lines of business: BT Global Services, Openreach, BT Retail and BT Wholesale. British Telecommunications (BT) is a wholly owned subsidiary of BT Group and encompasses virtually all business and assets of the BT Group. BT Group plc is listed on stock exchanges in London and New York. For More Information Visit Offices worldwide The services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc s respective standard conditions of contract. Nothing in this publication forms any part of any contract. British Telecommunications plc Registered office: 81 Newgate Street, London EC1A 7AJ Registered in England No: