Enterprise Governance of IT

Transcription

1 Enterprise Governance of IT Prof. dr. Wim Van Grembergen Dr. Steven De Haes University of Antwerp (UA) University of Antwerp Management School (UAMS) IT Alignment and Governance Research Institute (ITAG)

2 Agenda Enterprise Governance of IT Enterprise Governance of IT practices Enterprise Governance of IT as enabler for business / IT alignment Enterprise Governance of IT as enabler for business value 2

3 Setting the scene IT doesn t matter! (Nicolas Carr, HBR, 2003) 3

4 Setting the scene "Firms with superior IT governance have at least 20% higher profits...than firms with poor governance given the same strategic objectives." ( Louis Boyle, VP Gartner EXP, 2006) 4

5 IT governance definitions IT governance is the organizational capacity exercised by the board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensuring the fusion of business and IT. (Van Grembergen, 2002) IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization s IT sustains and extends the organization s strategies and objectives. (IT Governance Institute, 2001) 5

6 Three layers IT GOVERNANCE Board of directors Executive management (CEO, CIO, ) IT and business management strategic level management level operational level 6

7 Moving to Enterprise Governance of IT Enterprise governance of IT (EGIT) is an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organisation that enable both business and IT people to execute their responsibilities in support of business/it alignment and the creation of business value from IT-enabled business investments. (Van Grembergen & De Haes, 2009) 7

8 ISO principles for Enterprise Governance of IT Principle 1: Responsibility Individuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT. Those with responsibility for actions also have the authority to perform those actions. Principle 2: Strategy The organization s business strategy takes into account the current and future capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization s business strategy. Principle 3: Acquisition IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making. There is appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term. Principle 4: Performance IT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements. Principle 5: Conformance IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced. Principle 6: Human Behaviour IT policies, practices and decisions demonstrate respect for Human Behaviour, including the current and evolving needs of all the people in the process. 8

9 Key assets governance Board Executive committee Key assets Human assets Financial assets Physical assets IP assets Inform. & IT assets Relationsh ip assets Financial governance practices IT governance practices 9

10 IT Governance versus IT Management (Peterson, 2003) Business Orientation External IT Governance Internal IT Management Present Future Time Orientation 10

11 Structures, processes and relational mechanisms Structures Roles and responsibilities, IT organisation structure, CIO on Board, IT strategy committee, IT steering committee(s) Processes Strategic Information Systems Planning, (IT) BSC, Information Economics, SLA, COBIT, Val IT, ITIL, IT alignment / governance maturity models Enterprise governance of IT 11 Relational mechanisms Active participation and collaboration between principle stakeholders, Partnership rewards and incentives, Business/IT co-location, Cross-functional business/it training and rotation

12 Structures: Roles & responsibilities (Weill & Woodham) IT principles IT architecture IT Infrastructure strategies Roles & Business responsibilities Application needs IT investment (Weill & Woodham) Input Decision Input Decision Input Decision Input Decision Input decision B. monarchy IT monarchy Feodal Federal Duopoly Anarchy Top three governance performers (achieving 4 performance objectives, weighted by importance) 12

13 Structures: Principles for Enterprise Governance of IT IT is a professional organization that effectively and efficiently manages its resources in alignment with the needs of the organization. IT is the exclusive provider of IT services. Outsourcing is always organised in joint partnership between business and IT. IT is pro-actively engaged in further developing and innovating the organization. IT primarly develops and maintains compentencies that are aligned to and required for supporting the expertise available in the organization. The priorities within IT are aligned to the strategic goals of the organizations through integrated planning cycles. All IT applications comply with rules and policies as mutually agreed upon by business and IT IT is pro-actively engaged in reviewing and designing efficient business processes. IT and the business collaborate based on fixed agreements. Based on a scope definition, impact analysis and capacity reviews, both business and IT committ for timely delivery within quality requirements. There is transparancy on the required service quality that IT has to deliver to the business, and this service quality is continuously monitored. Starting from the initial development of new business project, the potential impact on IT needs to be analysed. 13

14 Structures: IT strategy committee (IT Governance Institute, 2002) a board may carry out its IT governance duties through an IT strategy committee the IT strategy committee has to consider: how the board should become involved in IT governance how to integrate the board s role in IT and business strategy the IT strategy committee needs to offer expertise and timely advice and direction on topics such as: the alignment of IT with the business directions the achievement of strategic IT objectives the availability of suitable IT resources, skills and infrastructure optimization of IT costs the role and the value delivery of external IT sourcing risk, return and competitive aspects of IT investments progress on major IT projects measurement of IT performance 14

15 Structures: IT strategy committee (IT Governance Institute, 2002) membership: chairman (board member) several board members IT experts as external advisors the IT strategy committee should work in close partnership with other board committees management committees 15

16 Structures: IT strategy committee versus IT steering committee (IT Governance Institute, 2002) an IT strategy committee is on board level whereas an IT steering committee is on executive level an IT steering committee: assists the executive in the delivery of the IT strategy oversees day-to-day management of IT service delivery and IT projects focuses on implementation membership of an IT steering committee sponsoring executive business executive (key users) CIO key advisors as required (IT, audit, legal, finance) 16

17 Processes: Balanced Scorecard (Van Grembergen et al., 2002; Van Der Zee and De Jong, 1999) basic idea of the BSC is that traditional financial measures should be supplemented with measures concerning customer satisfaction, internal processes, and the ability to innovate the BSC, initially developed at enterprise level, can also be applied to IT and through a cascade of business and IT scorecards integrated business and IT management can be realized when using the BSC alignment method, business goals and the drivers of business success are identified, including specific IT drivers (In this way, IT can be integrated in the business). IT BSC is becoming a popular tool with its concepts widely supported and and dispersed by consultant groups 17

18 Generic IT Balanced Scorecard Corporate Contribution User Orientation Operational Excellence Future Orientation 18

19 Corporate Contribution Scorecard To enable and contribute to the achievement of business objectives through effective delivery of value added information services. Objective Measures Benchmark Business/IT Alignment Operational plan/budget approval N/A Value Delivery Measured in business unit performance N/A Cost Management Risk Management Inter-company Synergy Achievement Attainment of expense and recovery targets Attainment of unit cost targets Results of internal audits Execution of Security Initiative Delivery of Disaster Recovery Assessment Attainment of targeted integration cost reductions Single system solutions Target State Architecture approval IT organization integration Industry expenditure comparisons Compass operational Top Performing levels OSFI Sound Business Practices N/A N/A Merger & Acquisition guidelines N/A N/A N/A 19

20 User Orientation Scorecard To be the supplier of choice for all information services, either directly or indirectly through supplier relationship Objective Measures Benchmark Competitive Costs Attainment of unit cost targets Compass operational Top Performing levels Blended labour rates Market comparisons Development Services Performance Major project success scores: recorded goal attainment sponsor satisfaction rating project governance rating N/A Operational Services Performance Attainment of targeted service levels Competitor comparisons Customer Satisfaction Business unit survey ratings: cost transparency and levels service quality and responsiveness value of I.S. advice and support contribution to business objectives N/A 20

21 Operational Excellence Scorecard To deliver timely and effective IT services at targeted service levels and costs Objectives Measures Benchmark Development Process Performance Function point based measures of: productivity quality delivery rate TBD Operational Process Performance Process Maturity Enterprise Architecture Management 21 Benchmark based measures of: productivity responsiveness change management effectiveness incident occurrence levels Assessed levels of maturity and compliance in priority processes within: planning and organization acquisition and implementation delivery and support monitoring Major project architecture approval Product acquisition compliance to technology standards State of the Infrastructure assessment Selected Compass Benchmark studies TBD (ITGI) N/A

22 Future Orientation Scorecard To develop the internal capabilities to continuously improve performance through innovation, learning and personal organizational growth Objectives Measures Benchmark Human Resource Management Employee Satisfaction Knowledge Management Results against targets: staff complement by skill type staff turnover staff billable ratio professional development days per staff member Employee satisfaction survey scores in: compensation work climate feedback personal growth vision and purpose Delivery of internal process improvements to Cybrary Implementation of lessons learned sharing process N/A Market comparison Industry standard Industry standard North American technology dependent companies N/A N/A 22

23 Cascade of scorecards Business Objectives IT strategic balanced scorecard Operational Services Scorecards Governance Services Scorecards Development Services Scorecards 23

24 IS Service Desk Unit Scorecard Roll-up to Service Level Performance metrics in IS Strategic Scorecard Average Speed of Answer Resolution Rate at Initial Call Call Abandonment Rate Corporate Contribution Expense Management * Cost per Contact Cost per User Customer Orientation Client Satisfaction * Average Speed of Answer Resolution Rate at Initial Call Call Abandonment Rate Customer Caused Incidents 24 IS Process DS8 Process Maturity (Incident Management) Call Volume Percent Automatically Logged Incidents Call Monitoring: Quality of Tickets & Quality of Calls Average Number of Calls/Agent * Will Aggregate as part of the I.S. Strategic Scorecard Future Orientation Staff Complement * Staff Turnover * PD Days/Staff Member * Employee Satisfaction * Implementation of Knowledge Base Tool

25 Causal relationships THEN THEN Measuring up to business expectations governance (user orientation) THEN Carrying out the roles of the IT division's mission (operational excellence) Ensuring effective IT Governance (business contribution) IF Building the foundation for delivery and continuous learning and growth (future orientation) 25

26 IT BSC maturity model MATURITY LEVEL 1: There is evidence that the organization has recognized that there is a need for a measurement system for its information technology division. There are ad hoc approaches to measure IT with respect to the two main IT processes, i.e. operations and systems development. This measurement process is often and individual effort in response to specific issues. MATURITY LEVEL 2: Management is aware of the concept of the IT balanced scorecard and has communicated its intent to define appropriate measures. Measures are collected and presented to management in a scorecard. Linkages between outcome measures and performance drivers are generally defined but are not yet precise, documented or integrated into strategic and operational planning processes. Processes for scorecard training and review are informal and there is no compliance process in place. MATURITY LEVEL 3: Management has standardized, documented and communicated the IT BSC through formal training. The scorecard process has been structured and linked to business planning cycle. The need for compliance has been communicated but compliance is inconsistent. Management understands and accepts the need to integrate the IT BSC within the alignment process of business and IT. Efforts are underway to change the alignment process accordingly. MATURITY LEVEL 4: The IT BSC is fully integrated into the strategic and operational planning and review systems of the business and IT. Linkages between outcome measures and performance drivers are systematically reviewed and revised based upon the analysis of results. There is a full understanding of the issues at all levels of the organization that is supported by formal training. Long term stretch targets and priorities for IT investment projects are set and linked to the IT scorecard. A business scorecard and a cascade of IT scorecards are in place and are communicated to all employees. Individual objectives of IT employees are connected with the scorecards and incentive systems are linked to the IT BSC measures. The compliance process is well established and levels of compliance are high. MATURITY LEVEL 5: The IT BSC is fully aligned with the business strategic management framework and vision is frequently reviewed, updated and improved. Internal and external experts are engaged to ensure industry best practices are developed and adopted. The measurements and results are part of management reporting and are systematically acted upon by senior and IT management. Monitoring self-assessment and communication are pervasive within the organization and there is optimal use of technology to support measurement, analysis, communication and training. 26

27 Processes: Information Economics (Parker, M., 1996; Van Grembergen and Van Bruggen, 1997) the information economics method is an alignment technique whereby both business and IT score IT projects this evaluation methods takes into account the ROI of a project and different non-tangibles such as strategic match of the project (business evaluation) and match with the strategic IT architecture (IT evaluation) information economics is a scoring technique resulting in a weighted total score based on the scores for the ROI and the non-tangibles (typically scores from 0 to 5 are attributed whereby 0 means no contribution and 5 refers to a high contribution) information economics can be used as an alignment process with as objectives to prioritize and select projects 27

28 28

29 Processes: COBIT and VALIT as frameworks for Enterprise Governance of IT Enterprise Governance of IT COBIT Focus on IT processes Val IT Foucs Focus - on IT related business processes 29

30 COBIT Framework ME1. monitor and evaluate IT performance ME2. monitor and evaluate internal control ME3. ensure regulatory compliance ME4. provide IT governance MONITOR AND EVALUATE Business and Governance Objectives INFORMATION Criteria effectiveness efficiency confidentiality integrity availability compliance reliability IT RESOURCES data application systems Infrastructure people PO1. define a strategic IT plan PO2. define the information architecture PO3. determine technological direction PO4. define the IT processes, organization and relationships PO5. manage the IT investment PO6.communicate management aims and direction PO7. manage IT human resources PO8. manage quality PO9. assess and manage risk PO10. manage projects PLANNING AND ORGANISATION DS1. define and manage service levels DS2. manage third party services DS3. manage performance and capacity DS4. ensure continuous service DS5. ensure systems security DS6. identify and allocate costs DS7. educate and train users DS8. manage service desk and incidents DS9. manage the configuration DS10. manage problems DS11. manage data DS12. manage the physical environment DS13.manage operations 30 DELIVERY AND SUPPORT ACQUISITION AND IMPLEMENTATION AI1. identify automated solutions AI2. acquire and maintain application software AI3. acquire and maintain technology infrastructure AI4. enable operation and use AI5. procure IT resources AI6. manage changes AI7. install and accredit solutions and changes

31 The Major Elements of COBIT p High-level and detailed Control Objectives pmanagement Guidelines p Inputs outputs p RACI chart p Goals and metrics pmaturity models p Assurance Guidelines Implementation Guidelines 31

32 COBIT Control Objectives

33 33 Example: Detailed Control Objectives for Manage Changes (AI6) AI6.1 Change Standards and Procedures Set up formal change management procedures to handle in a standardised manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms. AI6.2 Impact Assessment, Prioritisation and Authorisation Ensure that all requests for change are assessed in a structured way for impacts on the operational system and its functionality. This assessment should include categorisation and prioritisation of changes. Prior to migration to production, changes are authorized by the appropriate stakeholder. AI6.3 Emergency Changes Establish a process for defining, raising, assessing and authorising emergency changes that do not follow the established change process. Documentation and testing should be performed, possibly after implementation of the emergency change. AI6.4 Change Status Tracking and Reporting Establish a tracking and reporting system for keeping change requestors and relevant stakeholders up to date about the status of the change to applications, procedures, processes, system and service parameters, and the underlying platforms. AI6.5 Change Closure and Documentation Whenever system changes are implemented, update the associated system and user documentation and procedures accordingly. Establish a review process to ensure complete implementation of changes.

34 COBIT - IT Control Practices DS8.1 Service Desk Establish a service desk function, which is the user interface with IT, to register, communicate, dispatch and analyse all calls, reported incidents, service requests and information demands. There should be monitoring and escalation procedures based on agreed-upon service levels relative to the appropriate SLA that allow classification and prioritisation of any reported issue as an incident, service request or information request. Measure end users satisfaction with the quality of the service desk and IT services. 1. Establish a service desk as a single, initial point of contact for the reporting, monitoring, escalation and resolution of customer requests and incidents. Develop business requirements for the service desk, based on service definitions and SLAs, including hours of operation and expected response time to a call. Ensure that service desk requirements include identifying staffing, tools and integration with other processes, such as change management and problem management. 2. Ensure that there are clear instructions for service desk staff when a request cannot be immediately resolved by service desk personnel. Establish time thresholds to determine when escalation should occur based on the categorisation/prioritisation of the request or incident. 3. Implement the necessary support software and tools (e.g., incident management, knowledge management, incident escalation systems, automated call monitoring) required for operation of the service desk and configured in accordance with SLA requirements, to facilitate automated prioritisation of incidents and rapid resolution. 4. Advise customers of the existence of the service desk and the standards of service they can expect. Obtain user feedback on a regular basis to ensure customer satisfaction and confirm the effectiveness of the service desk operation. 5. Using the service desk software, create service desk performance reports to enable performance 34 monitoring and continuous improvement of the service desk.

35 COBIT Management Guidelines Inputs Outputs 35

36 Each process has primary inputs and outputs with process linkages Inputs Mission and Goals Understanding of the business context, capability and capacity Business Strategy Risk Appetite PO1 Outputs Strategic Plan Tactical Plan Project Portfolio Service Portfolio 36

37 COBIT Management Guideline RACI Chart 37

38 RACI chart providing roles and responsibilities CEO CARS CFO Business Executive CIO Business Sr Management Head of Operations Chief Architect or CTO Head of Development Head of IT Admin HR, Fin, etc PMO PO1 38

39 COBIT Management Guideline Goals and metrics 39

40 40 Example: Goals and metrics for Manage Changes (AI6)

41 COBIT Maturity models 41

42 42 Example: Maturity Model for Manage Changes (AI6) 0 Non-existent when There is no defined change management process and changes can be made with virtually no control. There is no awareness that change can be disruptive for IT and business operations, and no awareness of the benefits of good change management. 1 Initial/ Ad Hoc when It is recognised that changes should be managed and controlled. Practices vary and it is likely that unauthorised changes take place. There is poor or non-existent documentation of change, and configuration documentation is incomplete and unreliable. Errors are likely to occur together with interruptions to the production environment caused by poor change management. 2 Repeatable but Intuitive when There is an informal change management process in place and most changes follow this approach; however, it is unstructured, rudimentary and prone to error. Configuration documentation accuracy is inconsistent and only limited planning and impact assessment takes place prior to a change. 3 Defined Process when There is a defined formal change management process in place, including categorisation, prioritisation, emergency procedures, change authorisation and release management, and compliance is emerging. Workarounds take place and processes are often bypassed. Errors may still occur and unauthorised changes occasionally occur. The analysis of the impact of IT changes on business operations is becoming formalised, to support planned rollouts of new applications and technologies. 4 Managed and Measurable when The change management process is well developed and consistently followed for all changes, and management is confident that there are minimal exceptions. The process is efficient and effective, but relies on considerable manual procedures and controls to ensure that quality is achieved. All changes are subject to thorough planning and impact assessment to minimise the likelihood of post-production problems. An approval process for changes is in place. Change management documentation is current and correct, with changes formally tracked. Configuration documentation is generally accurate. IT change management planning and implementation are becoming more integrated with changes in the business processes, to ensure that training, organisational changes and business continuity issues are addressed. There is increased co-ordination between IT change management and business process redesign. There is a consistent process for monitoring the quality and performance of the change management process. 5 Optimised when The change management process is regularly reviewed and updated to stay in line with good practices. The review process reflects the outcome of monitoring. Configuration information is computer-based and provides version control. Tracking of changes is sophisticated and includes tools to detect unauthorised and unlicensed software. IT change management is integrated with business change management to ensure that IT is an enabler in increasing productivity and creating new business opportunities for the organisation.

43 Portfolio Management Programme Management Val IT: Projects, Programmes, Portfolios and Value Value the end business outcome expected from an IT-enabled business investment where such outcomes may be financial, non-financial or a combination of the two. Portfolio a suite of business programmes managed to optimise overall enterprise value Programme a structured grouping of projects that are both necessary and sufficient to achieve a business outcome and deliver value, including business change management, business processes, people, etc. (primary unit of investment within VALIT) 43 Project Management Project a structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget (that is necessary but not sufficient to achieve a required business outcome)

44 Val IT - Relationship between Processes & Practices Establish Governance Framework for Value Management (VG) Establish informed and committed leadership Align and integrate Value Management with enterprise financial planning Define and implement processes Establish effective governance monitoring Define portfolio types Implement lessons learned Manage the Investment Portfolio (PM) Establish strategic direction and target investment mix Evaluate and select programmes to fund Determine availability and sources of funding Monitor and report on portfolio performance Human Resource Management Optimise portfolio performance Develop and evaluate initial programme concept business case Understand candidate programme and implementation options Develop the programme plan Develop full life cycle costs and benefits Manage the Investments (IM) Develop detailed candidate programme business case Update the business case Launch and manage the programme Monitor and report on the programme Update operational IT portfolios Retire the programme 44

45 VG processes VG01 Establish informed and committed leadership: - VG01.1 Develop an understanding of significance of IT and role of governance - VG01.2 Establish effective reporting lines - VG01.3 Establish a leadership forum - VG01.4 Define value for the enterprise - VG01.5 Ensure alignment and integration of business and IT strategies with key business goals VG02 Define and implement processes: - VG02.1 Define the value governance framework - VG02.2 Assess the quality and coverage of current processes - VG02.3 Identify and prioritise process requirements - VG02.4 Define and document processes - VG02.5 Establish, implement and communicate roles, responsibilities and accountabilities - VG02.6 Establish organisational structures VG03 Define portfolio characteristics: - VG03.1 Define portfolio types - VG03.2 Define categories (within portfolios) - VG03.3 Develop and communicate evaluation criteria (for each category) - VG03.4 Assign weightings to criteria 45 - VG03.5 Define requirements for stage-gates and other reviews (for each category)

46 Example VG01.1 Develop an understanding of significance of IT and role of governance 46 Low to high need for reliable information technology Factory Mode Support Mode Strategic Mode Turnaround Mode Low to high need for new information technology Nolan R., McFarlan F.W., 2005, Information Technology and Board of Directors, Harvard Business Review

47 Example VG03.2 Define categories (within portfolios) Investment budget Major business enablement and infrastructure budget eg. implementation SAP +/- 33% Increased control Better information Better integration Improved quality Informational Strategic Increased sales Competitive advantage Competitive necessity Market positioning Innovative services ICT basic budget Continuity budget Upgrade or enhancement of existing applications eg. implementation of specific reporting due to legal requirements Maintenance budget Break/fix projects under eight man weeks eg. creation of new screens +/- 33% +/- 33% +/- 50% Cut costs Increased throughput Transactional Infrastructure Business integration Business flexibility and agility Reduced marginal costs of business unit s IT Reduced IT costs over time Standardization KBC Production budget +/- 50% 47 Weill Change The Rule Win The Race Stay In The Race McKinsey

48 Example VG03.3 Develop and communicate evaluation criteria (for each category) H H HIGH PROJECT CLASS NUMBER OF PLANNED MAN DAYS > 2000 PROFITA BILITY: PAY BACK TIME (YEARS) < 1.5 COMPETITIVE ADVANTAGE IMPROVE PERFORMANCE SIGNIFICANTLY ON CUSTOMER KEY BUYING FACTORS FOR STRATEGIC SEGMENTS BASIC CRITERIA OPERATIONAL URGENCY DIRECT REACTION ON EXTREME OPERATIONAL RISK, CHANGED LEGAL OR OPERATIONAL ENVIRONMENT, EXTREME MAINTENANCE RISK DECISION SUPPORT HIGH IMPACT SUPPORT FOR KEY DECISION MAKERS Project class Project class MH M ML L H MH M ML L L ML M MH Profitablity H Project class Project class MH M ML L H MH M ML L L ML M MH H Competitive advantage MEDI UM HIGH IMPROVE PERFORMANCE ON CUSTOMER KEY BUYING FACTORS FOR OTHER SEGMENTS ELIMINATE CRITICAL OPERATIONAL HANDICAPS OTHER SUPPORT FOR KEY DECISION MAKERS L ML M MH H Operational urgency A L ML M MH H Decision support 5 points on at least one criterion MEDI UM MEDI UM LOW LOW < > 6 IMPROVE PERFORMANCE SLIGHTLY ON CUSTOMER KEY BUYING FACTORS IMPROVE PERFORMANCE ON OTHER BUYING FACTORS NO IMPACT ON COMPETITIVE POSITION REDUCE WEEK POINTS IN CURRENT OPERATIONS AVOID SMALL PROBLEMS IN OPERATIONAL USAGE NO URGENCY HIGH IMPACT FOR OTHER MANAGEMEN T ONGOING SUPPORT FOR OTHER MANAGEMEN T NO IMPACT ON MANAGEMEN T EFFECTIVEN ESS Accept, high priority B 4 points on profitability or 3 points on at least two criteria Accept C 3 points on profitability or total of 7 points Accept if resources available D 3 points on one criterion Accept only if subcontractable 48 Sidmar-Arcelor E Decline All other projects

49 VG processes VG04 Align and integrate Value Management with enterprise financial planning: - VG04.1 Review current enterprise budgeting practices - VG04.2 Determine Value Management financial planning practice requirements - VG04.3 Identify changes required - VG04.4 Implement optimal financial planning practices for Value Management VG05 Establish effective governance monitoring: - VG05.1 Identify key metrics - VG05.2 Define information capture processes and approaches - VG05.3 Define reporting methods and techniques - VG05.4 Identify and monitor performance improvement actions VG06 Continuously improve Value Management practices - VG06.1 Implement lessons learnt 49

50 PM processes PM01 Establish strategic direction and target investment mix: - PM 1.1 Review and ensure clarity of business strategy and goals - PM 1.2 Identify opportunities for IT to support and influence the business strategy - PM 1.3 Define appropriate investment mix - PM 1.4 Translate business strategy and goals into IT strategy and goals PM02 Determine the availability and sources of funds: - PM02.1 Determine overall investment funds PM03 Manage availability of human resources: - PM03.1 Create and maintain an inventory of business human resources - PM03.2 Understand the current and future demand (for business human resources) - PM03.3 Identify shortfalls (between current and future business human resource demand) - PM03.4 Create and maintain tactical plans (for business human resources) - PM03.5 Monitor, review and adjust (business function allocation and staffing) - PM03.6 Create and maintain an inventory of IT human resources - PM03.7 Understand the current and future demand (for IT human resources) - PM03.8 Identify shortfalls (between current and future IT human resource demand) 50 - PM03.9 Create and maintain tactical plans (for IT human resources) - PM03.10 Monitor, review and adjust (IT Function allocation and staffing)

51 Example IT Goals Developing innovative IT services with a focus on information security Fulfilling SLA's with business departments Increasing IT department efficiency Integration and consolidation of different IT departments IT disaster recovery and business continuity IT governance / IT strategic alignment IT measures to satisfy Basel II requirements Lowering cost of transaction processing Making IT measurable Optimizing the IT infrastructure Rapid development of new IT services Reducing external staff Standardising IT systems Business Goals PM 1.4 Translate business strategy and goals into IT strategy and goals Achieving compliance with Basel II regulations S S P Improving competitiveness through IT P P S P Improving customer orientation and service P S P S S P S Post-merger integration and consolidation P S S S S Reducing operational cost P P S S P P P P P Reducing transaction cost P S S P P S S Risk management S P S S P P S P S Shortening service development lifecycle S S P Tailoring solutions for different target groups P S 51

52 PM processes PM04 Evaluate and select programmes to fund: - PM 4.1 Evaluate and assign relative scores to programme business cases - PM 4.2 Create overall investment portfolio view - PM 4.3 Make and communicate investment decisions - PM 4.4 Specify stages-gate and allocate funds to selected programmes - PM 4.5 Adjust business targets, forecasts and budgets PM05 Monitor and report on investment portfolio performance - PM 5.1 Monitor and report on portfolio performance PM06 Optimise investment portfolio performance - PM 6.1 Optimise portfolio performance - PM 6.2 Reprioritise the portfolio 52

53 Example PM 4.1 Evaluate and assign relative scores to programme business cases 53 Scoring investeringsdossiers ATS Trekk. Pnr Naam dossier ATS Rendement Aansluiting op strategie Competitief voordeel en noodzaak Noodzaak Ondersteuning management Informatie architectuur Vermindering operationele risico's Projectrisico & organisatorisch risico Investeringsdossiers Doorlopende dossiers in 2004 RET MKT 0020 Intrest and liquidity risk (ALM_TDI) OND OND 0021 Quantitative Credit Risk Management (QCR) RET RET 0119 KBD : Multikanalen krediettoep. aan particulieren RET RET 0202 KIT RET RET 0232 Oleander (totaaloplossing Leven Ondernemingen) NAV NAV 0245 Collateral Management Fase BED BED 0292 Bankwijd Web-enablen van ICMtoepassingen NAV NAV 0397 IPE / EBOBA NAV NAV 0399 Verwerking OTC Derivaten RET RET 0403 VA Front-end Leven RET RET 0406 Product fabriek Schadeverzekeringen OND OND 0442 Operationeel Risicobeheer RET RET 0449 Herwerken cliënten output OND OND 0456 IAS Verzekeringen OND OND 0479 Beperking van de volatiliteit onder IAS OND OND 0501 ERP voor ondersteunende diensten B+V RET RET 0518 OFS (Ontwikkeling Financiele Services) Nieuwe RET RET 0308 Migratie Centea OND OND 0480 Reconciliatietool RET RET 0884 Pleander Voorstudie Particulieren leven anders OND OND 0887 Europese Spaarfiscaliteit OND OND 0899 ERP - Fase Geel Groen Rood Waardecategorie Risico's Functionele onzekerheid Technische onzekerheid

54 Example PM 4.2 Create overall investment portfolio view 10 9 Proceed Program 21 Program Hold Program 03 Program 24 Program 02 Program 17 Program 19 Program 09 Program 01 Program 06 Program 23 Program 08 Financial Worth vs. Risk 4 Program 11 Legend Financial Worth Stop Program 16 Program 12 Program 07 Program Program Right Things Confirmed Benefits Right Way Done Well Green = Are Risk score between 1 & 3.9 Yellow = Are Risk score between 4 & Overall Risk Red = Are Risk score between 7 & 10 Source: Fujitsu

55 IM processes IM01 Develop and evaluate initial programme concept business case: - IM01.1 Recognise investment opportunities - IM01.2 Develop initial programme concept business case - IM01.3 Evaluate initial programme concept business case IM02 Understand the candidate programme and implementation options: - IM02.1 Develop a clear and complete understanding of the candidate programme - IM02.2 Perform alternatives analysis IM03 Develop the programme plan: - IM03.1 Develop a programme plan IM04 Develop full life-cycle costs and benefits: - IM04.1 Identify full life-cycle costs and benefits - IM04.2 Develop benefits realisation plan - IM04.3 Perform appropriate reviews and obtain sign-offs IM05 Develop the detailed candidate programme business case: - IM05.1 Develop detailed programme business case - IM05.2 Assign clear accountability and ownership - IM05.3 Perform appropriate reviews and obtain sign-offs 55

56 IM04.1 Identify full life-cycle costs and benefits 56

57 Example We are here on the Journey IM04.2 Develop benefits realisation plan (example of a web2.0 programme) Programme Outputs/ Capability Operational & Business Changes Outcomes Intermediate Benefits End Benefits ISACA Strategic Objectives Example - Enhanced web & E commerce System Faster search engine Example Business Process Reengineering e.g. Registration, Exams & certification Example -More Automated Processes, Less outages Example Improved Online self Help, reduced Calls for help Reducing costs Example Create Expanded access to Knowledge & Networking Opportunities ISACA Strategy Map E.G A07 Enhance Community Experience LEGEND Output describes a feature or enables a new outcome Outcome is the desired operational result Benefit 57 is the measurement of an outcome and describes an advantage accruing from the outcome. An End Benefit is a direct contribution to a strategic objective.

58 Example 1. Cover sheet Programme name Business sponsor Programme manager Revision notes Validation signatures Approval signature 2. Executive summary Programme context Name Business ssponsor Track record of management team Category of investment Programme description/profile Synopsis of business case assessment Programme contribution (value) Programme timing (schedule) Risk, financial return and alignment scores Dependencies Key risks Comparative value summary IM05.1 Develop detailed programme business case 3. Are we doing the right things? (Why?) Financial benefits (full economic life cycle, best case, worst case, most likely case) Financial costs (full economic life cycle, full IT and business costs, best case, worst case, most likely case) Non-financial benefits (alignment) Non-financial (alignment, efficiency) costs Risk analysis (key risks and mitigation strategies) Organisational 58 change impact Impact of not doing the programme - Opportunity cost

59 Example 4. Are we doing things the right way? (What and How?) Alternative approaches Selected approach High-level analytic mode Programme milestones Critical success factors Programme dependencies Enterprise architecture compliance Security policy compliance Key risks IM05.1 Develop detailed programme business case 5. Are we doing things well? (How?) Programme execution plan High-level benefits realisation plan Risk management Change management Governance structure (controls) Key risks 6. Are we getting the benefits? Description of benefits (projected life, full economic life cycle, best case, worst case, most likely, or base, case) High-level benefits register Financial benefits Key risks 7. Appendices Detailed analytic model Detailed project plan Detailed risk management plan Detailed 59 benefits realisation plan Full benefits register

60 IM processes IM06 Launch and manage the programme: - IM06.1 Plan projects, resource and launch the programme - IM06.2 Manage the programme - IM06.3 Track and manage benefits IM07 Update operational IT portfolios: - IM07.1 Update operational IT portfolios IM08 Update the business case: - IM08.1 Update the business case IM09 Monitor and report on the programme: - IM09.1 Monitor and report on programme (solution delivery) performance - IM09.2 Monitor and report on business (benefit/outcome) performance - IM09.3 Monitor and report on operational (service delivery) performance IM10 Retire the programme: - IM10.1 Retire the programme 60

61 VALIT Management Guidelines From Inputs Outputs To * High-level business requirements Initial business case IM2 COBIT PO1COBIT PO5 COBIT AI1 PM1 Appropriate investment mix Initial business case approval IM3 IM4 IM6 COBIT PO1 COBIT PO10 IM1 Initial business case COBIT AI1 COBIT PO1 IT services portfolio COBIT PO5 IT cost-benefit estimates COBIT PO9 Risk assesment Functions Activities Board CEO Create an environment that fosters and welcomes new ideas and R A/R R R acknowledges their champions. Suggest new opportunities. R A/R R R R R R R Capture opportunities for investment programmes to create value in support of the business strategy or to address operational or C C C R C R A/R compliance issues. Categorise the opportunity. Clarify expected business outcome(s) and identify, at a high level, business, process, people, C R C C A/R technology and organisational initiatives required to achieve the expected outcomes. Determine which opportunities to pursue further or examine in more depth, and identify and assign a business sponsor for each C C C C C A/R C C opportunity to be pursued. Describe the business outcome(s) to which the potential programme will contribute, the nature of the programme s C C C A R R contribution, and how the contribution would be measured. Identify high-level initiatives that might be required to achieve C C A R R these outcomes. Estimate the high-level benefits, both financial and non-financial, and the costs for the full economic life cycle of the programme. State any key assumptions and identify key risks, along with their potential impact on current and future business operations, and mitigation strategies. Document the initial programme concept business case with information obtained. Review and evaluate the initial programme concept business case. Determine whether the programme should proceed to full programme definition and evaluation. Obtain CIO approval and sign-off on the technical aspects of the initial programme concept business case. Obtain business sponsor approval and sign-off on overall initial programme concept business case. Compliance, Risk, Audit Security Investment Value and Services Board Management Office CFO CIO Business Sponsor Programme Manager Management Office Business Programme C C C A R R C C R A R R C A R C C C A R R R C C C A R R R I R A R I A R Management Project Management Office Inputs / outputs RACI 61 GOALS METRICS ACTIVITIES PROCESS IM An environment that fosters and Individuals throughout the enterprise Ensure that the enterprise s captures new ideas exists. suggest new investment opportunities. individual IT-enabled investments A process and responsibilities for Ideas are collected, understood and contribute to optimal value. submission and categorisation of new categorised correctly for the ideas exist and are used. investment portfolio. Champions of new ideas that are Good ideas are selected efficiently adopted are rewarded. and expediently for further study. Outlines of potential business Good ideas are assigned business initiatives and their outcomes are sponsors. identified. Documented initial concept business High-level benefits and costs are cases with outcomes, benefits, identified for potential investment. assumptions, costs and risks are Significant risks, and assumptions prepared. and mitigation plans are documented. The content of initial programme Number of suggestions Percentage of champions rewarded Consistency and compliance of assessments and assumptions with enterprise s processes and practices Elapsed time between approval to prepare initial programme concept business case and sign-offs being obtained Age and backlog of non-processed ideas Number of programme concept business cases considered Percentage of ideas accepted to be Contribution of individual IT-enabled developed into initial programme investments to optimal value concept business cases Number of new ideas per investment category Number of ideas trying to bypass enterprise s processes and practices Number and percentage of sign-offs obtained without resubmission Number and percentage of programme concept business cases that continue to full business case development Goal & metrics

62 Role Board Suggested definition The group of the most senior executives and/or non-executives of the enterprise, who are accountable for the governance of the enterprise and have overall control of its resources Roles & Responsibilities Business sponsor (incl. service owner) Business unit executives / managers Compliance, audit, risk and security (CARS) Chief Executive Officer (CE0) Chief Financial Officer (CF0 Chief Information Officer (CIO) Investment and services board (ISB) Head of Human Resources Programme Manager Programme Management Office (PgMO) Project Management Office (PMO) Value Management Office (VMO) 62 The individual accountable for delivering benefits and value to the enterprise from an IT-enabled business investment programme Business individuals with roles with respect to a programme The function(s) in the enterprise responsible for compliance, audit, risk and security The highest ranking officer, who is in charge of the total management of the enterprise The most senior official of the enterprise, who is accountable for financial planning, record keeping, investor relations and financial risks The most senior official of the enterprise, who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information, and the deployment of associated human resources A management structure primarily accountable for managing the enterprise s portfolio of investment programmes and existing/current services and, thus, managing the level of overall funding to provide the necessary balance between enterprise-wide and specific line-of-business needs The most senior official of an enterprise who is accountable for planning and policies with respect to all human resources in that enterprise The individual responsible for the achievement of the programme s objectives The function responsible for supporting programme managers and gathering, assessing and reporting information about the conduct of their programmes and constituent projects The function for supporting project managers; defining and propagating standardised methodologies; and gathering, assessing and reporting information about the conduct of their projects The function that acts as the secretariat for the ISB in managing investment and service portfolios, including assessing and advising on investment opportunities and business cases, value governance/management methods and controls, and reporting on progress in sustaining and creating value from investments and services

63 Relational mechanisms (Peterson, 2003) Effective communications and knowledge sharing Active participation and collaboration of principle stakeholders Partnership rewards and incentives Business/IT collocation Cross-functional business/it training and job rotation IT leadership 63

64 IT governance international benchmarking IT governance implementation status ( IT governance global status report, ITGI, 2008) 64

65 IT governance implementation by industry ( IT governance global status report, ITGI, 2008) 65

66 Agenda Enterprise Governance of IT Enterprise Governance of IT practices Enterprise Governance of IT as enabler for business / IT alignment Enterprise Governance of IT as enabler for business value 66

67 Implementation of EGIT in practice Requires: A holistic set of Structures Processes Governance Processes Structures Relational Mechanisms Enterprise governance of IT Relational mechanisms at all 3 layers of the organization. 67

68 a list of 33 EGIT practices based on delphi research 12 structures 11 processes 10 relational mechanisms 68

69 EGIT: Practices identified & defined structures: 12 practices Best Practice IT strategy committee at level of board of directors IT expertise at level of board of directors (IT) audit committee at level of board of directors CIO on executive committee CIO (Chief Information Officer) reporting to CEO (Chief Executive Officer) and/or COO (Chief Operational Officer) IT steering committee (IT investment evaluation / prioritisation at executive / senior management level) Definition Committee at level of board of directors to ensure IT is regular agenda item and reporting issue for the board of directors Members of the board of directors have expertise and experience regarding the value and risk of IT Independent committee at level of board of directors over viewing (IT) assurance activities CIO is a full member of the executive committee CIO has a direct reporting line to the CEO and/or COO Steering committee at executive or senior management Level responsible for determining business priorities in IT investments. Level B E/S x x x x x x 69

70 EGIT: Practices identified & defined structures: 12 practices Best Practice IT governance function / officer Security / compliance / risk officer IT project steering committee IT security steering committee Architecture steering committee Integration of governance/alignment tasks in roles & responsibilities Definition Function in the organisation responsible for promoting, driving and managing IT governance processes Function responsible for security, compliance and/or risk, which possibly impacts IT Steering committee composed of business and IT people focusing on prioritising and managing IT projects Steering committee composed of business and IT people focusing on IT related risks and security issues Committee composed of business and IT people providing architecture guidelines and advise on their applications. Documented roles & responsibilities include governance/alignment tasks for business and IT people (cf. Weill) Level B E/S x x x x x x x 70

71 EGIT: Practices identified & defined processes: 11 practices Best Practice Strategic information systems planning Definition Formal process to define and update the IT strategy Level B E/S x x IT performance measurement (e.g. IT balanced scorecard) IT performance measurement in domains of corporate contribution, user orientation, operational excellence and future orientation x x Portfolio management (incl. business cases, information economics, ROI, payback) Prioritisation process for IT investments and projects in which business and IT is involved (incl. business cases) x x Charge back arrangements - total cost of ownership (e.g. activity based costing) Methodology to charge back IT costs to business units, to enable an understanding of the total cost of ownership x Service level agreements Formal agreements between business and IT about IT development projects or IT operations x 71

72 EGIT: Practices identified & defined processes: 11 practices Best Practice IT governance framework COBIT Definition Process based IT governance and control framework Level B E/S x IT governance assurance and self-assessment Regular self-assessments or indepent assurance activities on the governance and control over IT x x Project governance / management methodologies Processes and methodologies to govern and manage IT projects x IT budget control and reporting Processes to control and report upon budgets of IT investments and projects x x Benefits management and reporting Processes to monitor the planned business benefits during and after implementation of the IT investments / projects. x x COSO / ERM Framework for internal control x x 72

73 EGIT: Practices identified & defined relational mechanisms: 10 practices Best Practice Definition Level B E/S Job-rotation IT staff working in the business units and business people working in IT x Co-location Physically locating business and IT people close to each other x Cross-training Training business people about IT and/or training IT people about business x Knowledge management (on IT governance) Systems (intranet, ) to share and distribute knowledge about IT governance framework, responsibilities, tasks, etc. x x Business/IT account management Bridging the gap between business and IT by means of account managers who act as in-between x 73

74 EGIT: Practices identified & defined relational mechanisms: 10 practices Best Practice Executive / senior management giving the good example Informal meetings between business and IT executive/senior management Definition Senior business and IT management acting as "partners" Informal meetings, with no agenda, where business and IT senior management talk about general activities, directions, etc. (eg. during informal lunches) Level B E/S x x IT leadership Ability of CIO or similar role to articulate a vision for IT's role in the company and ensure that this vision is clearly understood by managers throughout the organization x x Corporate internal communication addressing IT on a regular basis Internal corporate communication regularly addresses general IT issues. x x IT governance awareness campaigns Campaigns to explain to business and IT people the need for IT governance x x 74

75 Perceived effectiveness of EGIT practices IT steering committee (IT investment evaluation / prioritisation) CIO reporting to CEO and/or COO CIO on executive committee IT budget control and reporting Portfolio management (incl. business cases, information economics, ROI, payback) Project governance / management methodologies IT project steering committee IT performance measurement (e.g. IT balanced scorecard) IT leadership Executive / senior management giving the good example Strategic information systems planning Informal meetings betw een business and IT executive/senior management Business/IT account management IT strategy committee at level of board of directors Service level agreements Corporate internal communication addressing IT on a regular basis IT governance framew ork COBIT Charge back arrangements - total cost of ow nership (e.g. activity based costing) Security / compliance / risk officer Know ledge management (on IT governance) Integration of governance/alignment tasks in roles&responsibilities (IT) audit committee at level of board of directors IT expertise at level of board of directors Architecture steering committee IT governance function / officer Benefits management and reporting IT governance aw areness campaigns IT security steering committee Cross-training Co-location IT governance assurance and self-assessment Job-rotation COSO / ERM 0,0 0,5 1,0 1,5 2,0 2,5 3,0 3,5 4,0 4,5 5, = not effective, 5 = very effective

76 Perceived ease of implementation of EGIT practices CIO reporting to CEO and/or COO Security / compliance / risk officer IT project steering committee IT budget control and reporting Informal meetings betw een business and IT executive/senior management Corporate internal communication addressing IT on a regular basis IT security steering committee CIO on executive committee (IT) audit committee at level of board of directors IT strategy committee at level of board of directors IT steering committee (IT investment evaluation / prioritisation) Business/IT account management IT governance aw areness campaigns Service level agreements Architecture steering committee IT governance function / officer Co-location Project governance / management methodologies IT leadership Cross-training Strategic information systems planning Executive / senior management giving the good example IT performance measurement (e.g. IT balanced scorecard) Know ledge management (on IT governance) Portfolio management (incl. business cases, information economics, ROI, payback) Integration of governance/alignment tasks in roles&responsibilities IT governance assurance and self-assessment IT governance framew ork COBIT Job-rotation Charge back arrangements - total cost of ow nership (e.g. activity based costing) Benefits management and reporting IT expertise at level of board of directors COSO / ERM 0,0 0,5 1,0 1,5 2,0 2,5 3,0 3,5 4,0 4, = not easy to implement,, 5 = very easy to implement

77 High Effectiveness Low IT governance practices that are highly effective but difficult to implement Key minimum baseline IT governance practices 4,9 4,8 4,7 S6 4,6 4,5 S1 IT strategy committee at level of board of directors S5 4,4 S2 IT expertise at level of board of directors S4 4,3 S3 (IT) audit committee at level of board of directors 4,2 S4 CIO on executive committee 4,1 IT steering committee CIO (Chief Information Officer) reporting to CEO (Chief Executive P3 P8 P9 4 S5 Officer) and/or COO (Chief Operational Officer) P2 S9 3,9 R8/R6 steering committee (IT investment evaluation / prioritisation at 3,8 P1 R5 S1 R7 S6 IT executive project / senior management steering level) 3,7 S7 IT governance function / officer 3,6 S8 Security / compliance / risk officer 3,5 P5 S9committee IT project steering 3,4 R9 3,3 S10 IT security steering committee P6/P4 S8 3,2 S11 Architecture steering committee S12 R4 S3 3,1 S12 Having Integration of governance/alignment the CIO tasks in roles&responsibilities S2 S11 3 P1 Strategic information systems planning 2,9 P2 IT performance measurement (e.g. IT balanced scorecard) P10 S7 2,8 reporting Portfolio management (incl. to business the cases, CEO information economics, P7 R3 R2 R10 S10 2,7 P3 ROI, payback) 2,6 Charge back arrangements - total cost of ownership (e.g. activity based 2,5 P4 Project costing) management 2,4 P5 Service level agreements P11 R1 2,3 IT governance practices P6 IT governance framework COBIT 2,2 P7methodologies IT governance assurance and self-assessment that are highly effective 2,1 P8 Project governance / management methodologies 2 P9 IT budget control and reporting and easy to implement 1,9 1,8 P10 Portfolio Benefits management and reporting management 1,7 P11 COSO / ERM 1,6 R1 Job-rotation 1,5 R2 Co-location IT budget control and IT governance practices 1,4 R3 Cross-training whose value is 1,3 R4 Knowledge management (on IT governance) 1,2 R5reporting Business/IT account management challenged 1,1 R6 Executive / senior management giving the good example 1 Informal meetings between business and IT executive/senior 0,9 R7 IT management leadership 0,8 R8 IT leadership 0,7 R9 Corporate internal communication addressing IT on a regular basis 0,6 R10 IT governance awareness campaigns 0,5 0,4 0,3 0,2 0,1 0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 1,0 1,1 1,2 1,3 1,4 1,5 1,6 1,7 1,8 1,9 2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7 2,8 2,9 3,0 3,1 3,2 3,3 3,4 3,5 3,6 3,7 3,8 3,9 4,0 4,1 4,2 4,3 4,4 4,5 4,6 4, Difficult to implement Ease of implementation Easy to implement

78 Assignment EGIT practices in a case organisation 78

79 Maturity IT strategy committee at level of board of directors IT expertise at level of board of directors (IT) audit committee at level of board of directors CIO on executive committee CIO reporting to CEO and/or COO IT steering committee (IT investment evaluation / prioritisation at executive / senior management level) IT governance function / officer Security / compliance / risk officer IT project steering committee IT security steering committee Architecture steering committee Integration of governance/alignment tasks in roles&responsibilities Strategic information systems planning IT performance measurement (e.g. IT balanced scorecard) Portfolio management (incl. business cases, information economics, ROI, payback) Charge back arrangements - total cost of ownership (e.g. activity based costing) Service level agreements IT governance framework COBIT IT governance assurance and self-assessment Project governance / management methodologies IT budget control and reporting Benefits management and reporting COSO / ERM Job-rotation Co-location Cross-training Knowledge management (on IT governance) Business/IT account management Executive / senior management giving the good example Informal meetings between business and IT executive/senior management IT leadership Corporate internal communication addressing IT on a regular basis IT governance awareness campaigns Other practices 79 General remarks Organisation Rationale

80 Assignment Assess the As-Is and To-Be EGIT situation in your organisation 0 Non-existent There is a complete lack of any recognisable IT Governance process. 1 Initial/ad hoc The organisation has recognised that IT Governance issues exist and need to be addressed. 2 Repeatable but intuitive There is awareness of IT Governance objectives, and practices are developed and applied by individual managers. 3 Defined process The need to act with respect to IT Governance is understood and accepted. Procedures have been standardised, documented and implemented. 4 Managed and measurable IT Governance evolves into an enterprise-wide process and IT Governance activities are becoming integrated with the enterprise governance process. 5 Optimised Enterprise governance and IT Governance are strategically linked, leveraging technology and human and financial resources to increase the competitive advantage of the enterprise. 80

81 Agenda Enterprise Governance of IT Enterprise Governance of IT practices Enterprise Governance of IT as enabler for business / IT alignment Enterprise Governance of IT as enabler for business value 81

82 Business/IT Alignment Research concerning difficulties experienced by organisations while aligning business and IT. - Expression barriers (lack of direction in business strategy) - Specification barriers (lack of IT involvement in strategy development) - Implementation barriers (difficult integration of legacy systems) 82

83 Henderson and Venkatraman (SAM model) Business/IT Alignment External Business Business Strategy Strategy IT Strategy Strategic fit Internal Organizational Infrastructure and processes IS infrastructure IS infrastructure and processes and processes Business Information Technology 83 Functional Integration

84 Strategic Alignment (Henderson and Venkatraman, 1993) Business Information Technology External Business strategy IT strategy Strategic fit Internal Operational infrastructure and processes IT infrastructure and processes Functional integration 84

85 Strategic Alignment model Business strategy as the driver: strategy execution alignment perspective Business strategy is articulated and is the driver of both organizational and IT infrastructure design Business Information Technology External Business strategy IT strategy Strategic fit Internal Operational infrastructure and processes IT infrastructure and processes Functional integration 85

86 Business strategy as the driver: technology transformation alignment perspective Implementing the chosen business strategy through appropriate IT strategy and required IT infrastructure and processes Business Strategic Alignment model Information Technology External Business strategy IT strategy Strategic fit Internal Operational infrastructure and processes IT infrastructure and processes Functional integration 86

87 IT strategy as the enabler: service level alignment perspective Focuses on how to build a world-class IT service organization Strategic Alignment model Business Information Technology External Business strategy IT strategy Strategic fit Internal Operational infrastructure and processes IT infrastructure and processes Functional integration 87

88 Business/IT Alignment Maes (extension SAM model) business information/ communication technology strategy structure operations 88

89 Assignment Business / IT alignment assessment through business goals / IT goals 89

90 90 Assignment: linking business goals to IT goals

91 Linking business goals IT goals IT Goals Developing innovative IT services with a focus on information security Fulfilling SLA's with business departments Increasing IT department efficiency Integration and consolidation of different IT departments IT disaster recovery and business continuity IT governance / IT strategic alignment IT measures to satisfy Basel II requirements Lowering cost of transaction processing Making IT measurable Optimizing the IT infrastructure Rapid development of new IT services Reducing external staff Standardising IT systems Business Goals Achieving compliance with Basel II regulations S S P Improving competitiveness through IT P P S P Improving customer orientation and service P S P S S P S Post-merger integration and consolidation P S S S S Reducing operational cost P P S S P P P P P Reducing transaction cost P S S P P S S Risk management S P S S P P S P S Shortening service development lifecycle S S P Tailoring solutions for different target groups P S 91

92 Aligning business goals and IT goals UAMS-ITAG/ITGI research: - Previous research 20 business goals and 28 IT goals Across multiple sectors - This study Validate business and IT goals Gain insight in priorities for different sectors Examine relationship between IT goals and business goals 92

93 Aligning business goals and IT goals Delphi methodology: - Structured process for collecting and distilling knowledge from a group of experts by means of several research rounds. 158 business and IT people 5 sectors - Manufacturing and pharmaceuticals, IT professional services, telecommunications and media, government, utilities and healtcare, and retail and transportation. 93

94 94 Aligning business goals and IT goals

95 Aligning business goals and IT goals TOP 10 PRIORITIZED LIST OF BUSINESS GOALS 1. IMPROVE CUSTOMER ORIENTATION AND SERVICE 2. COMPLY WITH EXTERNAL LAWS AND REGULATIONS 3. ESTABLISH SERVICE CONTINUITY AND AVAILABILITY 4. MANAGE (IT RELATED) BUSINESS RISKS 5. OFFER COMPETITIVE PRODUCTS AND SERVICES 6. IMPROVE AND MAINTAIN BUSINESS PROCESS FUNCTIONALITY 7. PROVIDE A GOOD RETURN ON INVESTMENT OF (IT ENABLED) BUSINESS INVESTMENTS 8. ACQUIRE, DEVELOP AND MAINTAIN SKILLED AND MOTIVATED PEOPLE 9. CREATE AGILITY IN RESPONDING TO CHANGING BUSINESS REQUIREMENTS 10. OBTAIN RELIABLE AND USEFUL INFORMATION FOR STRATEGIC DECISION MAKING TOP 10 PRIORITIZED LIST OF IT GOALS 1. ALIGN THE IT STRATEGY TO THE BUSINESS STRATEGY 2. MAINTAIN THE SECURITY (CONFIDENTIALITY, INTEGRITY AND AVAILABILITY) OF INFORMATION AND PROCESSING INFRASTRUCTURE 3. MAKE SURE THAT IT SERVICES ARE RELIABLE AND SECURE 4. PROVIDE SERVICE OFFERINGS AND SERVICE LEVELS IN LINE WITH BUSINESS REQUIREMENTS 5. PROVIDE IT COMPLIANCE WITH LAWS AND REGULATIONS 6. TRANSLATE BUSINESS FUNCTIONAL AND CONTROL REQUIREMENTS IN EFFECTIVE AND EFFICIENT AUTOMATED SOLUTIONS 7. DELIVER PROJECTS ON TIME AND ON BUDGET MEETING QUALITY STANDARDS 8. DRIVE COMMITMENT AND SUPPORT OF EXECUTIVE MANAGEMENT 9. IMPROVE IT S COST-EFFICIENCY 10. ACCOUNT FOR AND PROTECT ALL IT ASSETS 95

96 10. Obtain reliable and useful information for strategic decision making Business Goals 1. Improve customer orientation and service 2. Provide compliancy with external laws and regulations 3. Establish service continuity and availability 4. Manage (IT related) business risks 5. Offer competitive products and services 6. Improve and maintain business process functionality 7. Provide a good return on investment of (IT enabled) business investments 8. Acquire, develop and maintain skilled and motivated people 9. Create agility in responding to changing business requirements 11; Achieve cost optimisation of service delivery 12. Optimise business process costs 13. Enable and Manage business change 14. Improve and maintain operational and staff productivity 15. Improve financial transparency 16. Provide compliancy with internal policies 17. Identify, enable and manage product and busin IT Goals 1. Align the IT strategy to the business strategy P S S P P P S S P P S S P S S S P 2. Maintain the security (confidentiality, integrity and avaliability) of information and processing infrastructure P P P P S S P 3. Make sure that IT services are reliable and secure P P P P S S S S S S S S 4. Provide service offerings and service levels in line with business requirements P P S P P S S S S S S S S S 5. Provide IT compliancy with laws and regulations S P P S S S P 6. Translate business functional and control requirements in effective and efficient automated solutions S S S S P S S S S S S S S S 7. Deliver projects on time and on budget meeting quality standards S S S S S S S S S S 8. Drive commitment and support of executive management S S S S S S S S S S 9. Improve IT s cost-efficiency S P P P S 10. Account for and protect all IT assets S S S S S S 11. Acquire, develop and maintain IT skills that respond to the IT strategy S S P S S S S S 12. Provide IT agility (in responding to changing business needs) S S S S P P S 13. Offer transparency and understanding of IT cost, benefits and risks S S S S P 14. Optimise the IT infrastructure, resources and capabilities S S P S P S S 15. Accomplish proper use of applications, information and technology solutions S S S S S S S S S S S S S 16. Seamlessly integrate applications and technology solutions into business processes S S P S S S S S S S S 17. Ensure that IT demonstrates continuous improvement and readiness for future change S S S P S P 18. Acquire knowledge and expertise in emerging technologies for business innovation and optimisation S S P S S S S P 96

97 Luftman assessment of business/it alignment maturity Validated instrument Used in many studies to assess business/it alignment 6 attributes - Communications maturity - Competency/value measurements maturity - Governance maturity - Partnership maturity - Scope & architecture maturity - Skills maturity 97

98 attribute characteristics level 1 characteristic level 5 communications maturity understanding of business by IT minimum pervasive understanding of IT by business minimum pervasive inter/intra-organizational learning casual, ad hoc strong and structured protocol rigidity command and control informal knowledge sharing ad hoc extra-enterprise liaison(s) breath/effectiveness none or ad hoc extra-enterprise competency/value measurements maturity IT metrics technical extended to external partners business metrics ad hoc extended to external partners balanced metrics ad hoc, unlinked business, partner and IT metrics service level agreements sporadically present extended to external partners benchmarking not generally practiced routinely performed with partners formal assessments/reviews none routinely performed continuous improvement none routinely performed governance maturity business strategic planning ad hoc integrated across & external IT strategic planning ad hoc integrated across & external reporting/organization structure CIO reports to CFO CIO reports to CEO central/decentral federated budgetary/control cost center, erratic investment center, profit center IT investment management cost based, erratic business value steering committee(s) not formal, regular partnership prioritization process reactive value added partner 98

99 attribute characteristics level 1 characteristic level 5 partnership maturity business perception of IT value IT perceived as a cost IT co-adapts with business role of IT in strategic business planning no seat at business table co-adaptive with business shared goals, risk, rewards/penalties IT takes risk risks and rewards shared IT program management ad hoc continuous improvement relationship/trust style conflict/minimum valued partnership business sponsor/champion none at the CEO level scope & architecture maturity traditional, enabler/driver traditional systems business strategy driver/enabler standards articulation none or ad hoc inter-enterprise standards architectural integration: no formal integration evolve with partners functional organization integrated enterprise standard enterprise architecture inter-enterprise with all partners architectural transparency, flexibility none across the infrastructure skills maturity innovation, entrepreneurship discouraged the norm locus of power in the business all executives, including CIO management style command and control relationship based change readiness resistant to change high, focused career crossover none across the enterprise education, cross-training none across the enterprise attract & retain best talent no program effective program for 99

100 100 Example questions (partnership maturity) IT is perceived by the business as: 1 A cost of doing business 2 Emerging as an asset 3 A fundamental enabler of future business activity 4 A fundamental driver of future business activity 5 A partner for the business that co-adapts/improvises in bringing value to the firm 6 N/A or don t know The following statements are about the IT and business relationship and trust. 1 There is a sense of conflict and mistrust between IT and the business. 2 The association is primarily an arm s length transactional style of relationship. 3 IT is emerging as a valued service provider. 4 The association is primarily a long-term partnership style of relationship. 5 The association is a long-term partnership and valued service provider. 6 N/A or don t know The following statements are about the cultural locus of power in making IT-based decisions. Our important IT decisions are made by: 1 Top business management or IT management at the corporate level only 2 Top business or IT management at corporate level with emerging functional unit level influence 3 Top business management at corporate and functional unit levels, with emerging shared influence from IT management 4 Top management (business and IT) across the organization and emerging influence from our business partners/alliances. 5 Top management across the organization with equal influence from our business partners/alliances. 6 N/A or don t know

101 ,5 4 3,5 3 2,5 2 1,5 1 0,5 0 Business / IT alignment international benchmark Alignment Hotel/entertainment Services Insurance Manufacturing Health Chemical Financial Government Oil/Gas/Mining Utilities Pharmaceutical Educational Overall Average Retail transportation

102 Business / IT alignment Belgian benchmark Result of alignment benchmark research 10 Belgian financial enterprises: Organis ation Number of employees in Belgium Main activities A More than 1000 Banking and Insurance B Between 100 and 1000 Banking and Insurance C More than 1000 Banking D More than 1000 Banking E More than 1000 Banking and Insurance F More than 1000 Financial transaction services G Between 100 and 1000 Banking and Insurance H Between 100 and 1000 Baking and Insurance I More than 1000 Banking and Insurance J More than 1000 Banking and Insurance 102

103 Business / IT alignment Belgian benchmark Organis ation Total number of respondents Number of IT respondents Number of business respondents Average maturity score by IT Average maturity score by business Total Total Total Average G 2,69 F << A B C D E H I J >> 1,0 1,1 1,2 1,3 1,4 1,5 1,6 1,7 1,8 1,9 2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7 2,8 2,9 3,0 3,1 3,2 3,3 3,4 3,5 3,6 3,7 3,8 3,9 4,0 Delta Total Alignment maturity Score Deviation from average A ,06 2,14-0,07 2,10-0,59-22% B ,27 2,00 0,27 2,16-0,52-19% C ,59 2,55 0,05 2,56-0,12-5% D ,98 2,35 0,64 2,67-0,02-1% E ,69 2,74-0,05 2,71 0,03 1% F ,15 2,46 0,69 2,72 0,04 1% G ,75 2,73 0,03 2,74 0,06 2% H ,89 2,95-0,06 2,91 0,22 8% I ,23 2,97 0,26 3,11 0,43 16% J ,09 3,26-0,17 3,17 0,48 18% 103

104 The relationship between EGIT practices and business / IT alignment Research on extreme cases Interviews/workshops to define maturity of 33 governance practices Organization A Interviewees Adjunt-director Organization Department Service delivery manager Director Organization Department B CEO Change Manager I Head IT Governance Head IT Development Head Project Management Office J CIO Head Accounting 104

105 Defining maturity of 33 EGIT practices 0 Non-existent There is a complete lack of any recognisable IT Governance process. 1 Initial/ad hoc The organisation has recognised that IT Governance issues exist and need to be addressed. 2 Repeatable but intuitive There is awareness of IT Governance objectives, and practices are developed and applied by individual managers. 3 Defined process The need to act with respect to IT Governance is understood and accepted. Procedures have been standardised, documented and implemented. 4 Managed and measurable IT Governance evolves into an enterprise-wide process and IT Governance activities are becoming integrated with the enterprise governance process. 5 Optimised Enterprise governance and IT Governance are strategically linked, leveraging technology and human and financial resources to increase the competitive advantage of the enterprise. 105

106 A B I J S S S S S S S S S S S S P P P P P P P P P P P R R R R R R R R R R ,48 1,39 2,21 3,12 106

107 The relationship between EGIT and business/it alignment G Business/IT alignment maturity F << A B C D E H I J >> 1,8 1,9 2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7 2,8 2,9 3,0 3,1 3,2 3,3 3,4 3,5 3,6 Maturity of IT governance practices J I B A 4,00 3,50 3,00 2,50 2,00 1,50 1,00 0,50 0,00 Structures Processes Relational mechanisms 107

108 The relationship between EGIT and business / IT alignment Maturity averages Clear gap between A-B and I-J 3,5 3 2,5 2 1,5 1 0,5 0 A B I J 108

109 J A ,5 S1 S4 S5 S6 S9 P1 P3 P80 P9 R8 A B I J 5 3,5 3 2,5 2 1,5 Extreme cases analysis EGIT practices versus business / IT alignment Average IT goverance practices maturity J I B A 4,00 3,50 3,00 2,50 2,00 1,50 1,00 0,50 0,00 4 J A 3 2 Structures Processes Relational 1 mechanisms S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10

110 Agenda Enterprise Governance of IT Enterprise Governance of IT practices Enterprise Governance of IT as enabler for business / IT alignment Enterprise Governance of IT as enabler for business value 110

111 From enterprise governance of IT to business value Enterprise governance of IT enables Business / IT alignment enables Business value from IT investments 111

112 Business/IT alignment and Business Value from IT Why is alignment important to an organization s success? - Research from Chan and Bergeron: impact of alignment on business performance is higher than impact of business strategy or IT strategy - Productivity paradox (Brynjolfson) 112

113 What is the relationship between organizational performance and IT governance practices based on COBIT 4.1 and Val IT 2.0? Research scope and model Research model and metrics use the available concepts from COBIT and Val IT. Three research constructs - COBIT and Val IT processes measured by the implementation status of 34 COBIT processes and 22 Val IT processes - Technical, operational and business capabilities measured by the achievement status of 18 IT goals - Business Outcome measured by the achievement status of 17 business goals and 3 Val IT goals 113

114 114 Questionnaire - Sample question

115 Business/IT Alignment IT and Business Governance Practices COBIT Processes measured by Processes implementation status Technical Capability measured by IT Goals achievement status Reserach Model Val IT processes measured by Processes implementation status Operational Capability measured by IT Goals achievement status COBIT and Val IT Processes IT related Business capability measured by IT goals achievement status IT Goals 115 Business Outcome Measured by Business Goals achievement status Business Goals

116 Research questions RQ1: Does the implementation of COBIT processes and Val IT processes have an impact on the achievement of IT goal capabilities (technical, operational and business capabilities)? RQ2: Which subset of COBIT and Val IT processes impacts the capabilities the most? RQ3: Do the IT goal capabilities have an impact on the achievement of business outcome (business goals)? RQ4: Which IT goal capabilities impact business outcome most? RQ5: Ultimately, does a cascaded relationship exists between the COBIT/Val IT governance practices, the intermediate capabilities (IT goals), and the business outcome (business goals)?. 116

117 Research questions RQ6: what is the implementation status of COBIT and Val IT processes, spread over different sectors, company sizes and regions RQ7: what is the degree of achievement for IT goals and business goals, spread over different sectors, sizes and regions RQ8: Are the detailed business goals IT goals IT processes matrices as published in COBIT 4.1 confirmed? 117

118 Key findings The research model cascade is validated: 1. A strong correlation between the implementation of COBIT and VALIT and the achievement of IT goals 2. A strong correlation between the achievement of IT goals and the achievement of business goals Operational oriented processes are better implemented than planning, monitoring and value related processes. Implementation status of the COBIT and Val IT frameworks is typically higher in - Larger organisations - Organisations from the Financial, Manufacturing and Retail sector - European and North American organisations. Knowing-Doing Gap: Organisations are aware of the importance of IT goals such as Align the IT strategy to the business strategy but in practice do not manage to achieve them in a proper way. New empirically researched data is available to further develop the IT governance body of knowledge and its related frameworks COBIT and Val IT 118

119 The validated research cascade model IT and Business Governance Practices COBIT Processes measured by Processes implementation status COBIT and Val IT Processes Val IT processes measured by Processes implementation status 1 Technical Capability measured by IT Goals achievement status Operational Capability measured by IT Goals achievement status 2 IT Goals IT related Business capability measured by IT goals achievement status 119 Business Outcome Measured by Business Goals achievement status Business Goals

120 Implementation status IT processes Operational oriented processes (AI and DS) are better implemented than planning (PO) monitoring (ME) processes. COBIT processes are better implemented than Val IT processes 3,50 3,40 3,30 3,20 3,10 3,00 2,90 2,80 2,70 2,60 2, COBIT PO COBIT AI COBIT DS COBIT ME COBIT Total Val IT VG Val IT PM Val IT IM VAL IT Total

121 Knowing-doing gap Comparing achievement results (this study) and importance results (previous study) Differences confirm knowing-doing gap - IT goal Align the IT strategy to the business strategy was ranked as the most important goal (rank 1) in previous research but only ranked 7th regarding actual achievement status - IT goal provide IT compliance with laws and regulations was ranked on the 5th place in terms of importance, but received the highest rank for achievement status 121

122 7 high impact COBIT processes 5 high impact Val IT processes 4 high impacted IT Goals Summary - High impact implemented processes / achieved IT goals relation High impact COBIT processes - Define a Strategic IT plan (PO1) - Manage the IT investment (PO5) - Communicate Management Aims and Direction (PO6) - Assess and manage IT risks (PO9) - Identify Automated Solutions (AI1) - Acquire and Maintain Application Software (AI2) - Acquire and Maintain Technology Infrastructure (AI3) High impact Val IT processes - Define and Implement Processes (VG2) - Establish Effective Governance Monitoring (VG5) - Continuously Improve Value Management Practices (VG6) - Establish Strategic Direction and Target Investment Mix (PM1) - Update Operational IT Portfolios (IM7) High impacted IT Goals - Align the IT strategy to the business strategy (IT_Corp6) - Provide service offerings and service levels in line with business requirements (IT_User1) - Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1) - Ensure that IT demonstrates continuous improvement and readiness for future change (IT_Fut3) 122

123 Summary - High impact achieved IT goals / achieved Business Goals relation 8 high impact IT Goals 6 high impacted Business Goals High impact IT Goals - Improve IT s cost-efficiency (IT_Corp5) - Align the IT strategy to the business strategy (IT_Corp6) - Translate business functional and control requirements in effective and efficient automated solutions (IT_User3) - Accomplish proper use of applications, information and technology solutions (IT_User4) - Provide IT agility (in responding to changing business needs) (IT_Oper4) - Seamlessly integrate applications and technology solutions into business processes (IT_Oper5) - Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1) - Ensure that IT demonstrates continuous improvement and readiness for future change (IT_Fut3) Highly impacted Business Goals -Achieve cost optimisation of service delivery (B_Cust4) -Obtain reliable and useful information for strategic decision making (B_Cust6) -Improve and maintain business process functionality (B_Int1) -Improve and maintain operational and staff productivity (B_Int2) -Enable and Manage business change (B_Int3) -Optimise business process costs (B_Int5) 123

124 124 Input COBIT 4.1 development Mapping COBIT 4.1 / correlation matrix business goals IT Goals

125 125 Input COBIT 4.1 development Mapping COBIT 4.1 / correlation matrix IT goals COBIT processes

126 Questions and discussion More information IT Governance and Alignment Research Institute - [email protected] [email protected] - Books Van Grembergen W., De Haes S., Implementing Information Technology Governance: models, practices and cases, 255p., IGI Publishing, 2008 Van Grembergen W., De Haes S., Enterprise Governance of IT: achieving strategic alignment and value, 360p., Springer, International Journal on IT/Business Alignment and Governance (IJITBAG)