Navy IT Service Management Office (ITSMO) Establishing an IT Governance System

Navy IT Service Management Office (ITSMO) 20-Step Process Guide Version 1.0 Prepared by ITSMO IT Governance Team 23 September 2013

Establishing IT Governance IT Service Management Office (ITSMO) Version 1.0_23 September 2013 Page ii

Document Control This page provides details on the document file name and location and its control information. File Information File Location https://usff.portal.navy.mil/sites/fccc10f/cio/1/itsmo/shared%20documents/itsmo_establishing_it_governance_system.pdf Document Information Version 1.0 Original Author ITSMO Governance Status Final Released by ITSMO Director Reference Date Released 23 September 2013 Revision History Revision Date Revised Revised By Group Change 0.1 8/1/2013 C. Mitchell ITSMO Initial draft 0.1 8/7/2013 P. Withers ITSMO Initial draft review 0.2 9/18/2013 P. Withers ITSMO Consolidated Reviews 1.0 9/23/2013 LCDR Glidden ITSMO Final Version Approval Establishing IT Governance IT Service Management Office (ITSMO) Version 1.0_23 September 2013 Page iii

Table of Contents Approval Page... Error! Bookmark not defined. Document Control... iii 1 Introduction... 1 1.1 Purpose... 1 1.2 Objectives... 1 1.3 Scope... 1 1.4 Background... 1 1.5 IT Governance Defined... 1 1.5.1 Governance versus Management... 2 1.6 The Need for Enterprise IT Governance... 3 1.6.1 Compliance... 4 1.6.2 Risk Management... 4 1.6.3 Service Execution... 4 1.6.4 Performance Measurement... 5 1.6.5 Resource Management... 5 1.7 IT Governance System... 5 1.8 IT Governance Project Roles... 6 2 in 20 Steps... 7 2.1 Step 1: Obtain Executive Leadership Level Sponsorship... 8 2.2 Step 2: Executive Leadership Communicates IT Governance Initiative to the Organization... 9 2.3 Step 3: Designate the IT Governance Project Manager and Implementation Team... 9 2.4 Step 4: Obtain IT Governance SME Support... 9 2.5 Step 5: Develop IT Governance Policy... 9 2.6 Step 6: Executive Signs and Promulgates IT Governance Policy... 10 2.7 Step 7: Conduct IT Governance Training... 10 2.8 Step 8: Construct IT Governance Implementation Project Plan... 10 2.9 Step 9: Establish IT Governance Repository... 10 2.10 Step 10: Develop IT Governance Strategic Communications Plan... 10 2.11 Step 11: Develop IT Governance Strategy... 11 2.12 Step 12: IT Governance Strategy Approval... 11 2.13 Step 13: Develop the IT Governance Charter... 11 2.14 Step 14: Approve and Sign IT Governance Charter... 12 2.15 Step 15: Develop Operating Guide... 12 Establishing IT Governance IT Service Management Office (ITSMO) Version 1.0_23 September 2013 Page iv

2.15.1 Exceptions... 13 2.16 Step 16: Appoint IT Governance Chair... 13 2.17 Step 17: Issue Letters of Designation... 13 2.18 Step 18: Train the IT Governance Body Members... 13 2.19 Step 19: Conduct Pilot Meeting... 14 2.20 Step 20: Initial Formal IT Governance Meeting... 14 2.21 Maintain and Improve the IT Governance System... 15 3 IT Governance Implementation Best Practices... 15 References... 17 Appendix A... 1 Governance Actions, Definitions, and Examples... A-1 IT Governance Body Actions...A-1 Actions Carried Out by Stakeholders...A-1 Navy ITSMO Operating Guide...A-2 IT Governance System Roles...A-2 IT Governance Model Example...A-3 Appendix B... B-1 Figures Figure 1: IT Governance System... 6 Figure 2: Flow Chart... 8 Figure 3: IT Governance Model [Example]...A-4 Tables Table 1: IT Governance Project Roles and Responsibilities... 7 Table 2: IT Governance System Roles and Responsibilities...A-3 Establishing IT Governance IT Service Management Office (ITSMO) Version 1.0_23 September 2013 Page v

1 Introduction 1.1 Purpose The purpose of this document is to provide guidance for Navy organizations to establish Information Technology (IT) governance systems. 1.2 Objectives The objective of this document is to provide Navy organizations with a step-by-step process for establishing and sustaining an IT Governance Systems based on the lessons learned, expertise and experience the Navy Information Technology Service Management Office (ITSMO) gained through establishing their own IT Governance System. 1.3 Scope The scope of this document encompasses any organization within the Navy IT enterprise that desires an approach and sequencing of activities for establishing or improving an effective IT Governance System and is not program specific. 1.4 Background The information contained in this document is a compendium of research conducted by the Navy ITSMO using international and industry best practice for establishing and sustaining IT Governance systems. More specifically, this includes guidance from ISACA and the IT Governance Institute (ITGI) using their highly acclaimed COBIT 5 framework, Taking Governance Forward Initiative, and the International Organization for Standardization International Electrotechnical Commission (ISO/IEC) 38500 Corporate Governance of Information Technology. To establish a baseline understanding of the IT Governance tenets set forth in these publications, it is recommended that IT governance sponsors and project leads read the ISACA publication Implementing and Continually Improving IT Governance. 1.5 IT Governance Defined In their book entitled IT Governance: how top performers manage IT decision rights for superior results (2004, Harvard Business School Press), authors Peter Weill and Jeanne Ross offer the following definition for IT Governance: IT governance: specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT. Weill and Ross go on to suggest that effective IT Governance must address three questions: What decisions must be made to ensure effective management and use of IT? Who should make these decisions? How will these decisions be made and monitored? Page 1 of 27

Similarly, the ISO Study Group position on Governance at the itsmf USA defines IT Governance as: A decision rights and accountability framework for directing, controlling and executing IT Services and the required IT Service Management Processes to determine and achieve desired behaviors and results. The Study Group further elaborates that governance involves defining the management model and the creation of guiding (governing) IT service management principles, including: Who makes directing, controlling and executing decisions? How the decisions will be made? What information is required to make the decisions? What decision-making mechanisms should be required? How will exceptions be managed? How should governance be reviewed and improved? The similarities in the definition of IT Governance from both academia and industry focus attention on decision rights and an accountability framework; decision rights are a formal and cascading delegation of authority to commit resources and resolve conflict, and an accountability framework enables positive control for the actions and behaviors of those vested with decision rights. While the ITSMO does not offer its own definition for IT Governance, it has used this composite definition to inform the creation and sequencing of its own IT Governance model and the 20 discrete steps for establishing a viable IT Governance construct. 1.5.1 Governance versus Management While it has been said that governance and management are two sides of the same coin, there are distinct differences of focus and authority, and there is often misunderstanding in industry and within the DoD concerning these differences. In support of the purpose for this document, the two terms are defined in the COBIT 5 framework thusly: Governance Governance is derived from the Greek verb meaning to steer. A governance system refers to all the means and mechanisms that enable multiple stakeholders in an enterprise to have an organized say in evaluating conditions and options; setting direction; and monitoring compliance, performance and progress against plans, to satisfy specific enterprise objectives. Means and mechanisms include frameworks, principles, policies, sponsorship, structures and decision mechanisms, roles and responsibilities, processes and practices, to set direction and monitor compliance and performance aligned with the overall objectives. In most [commercial] enterprises, it is the responsibility of the board of directors under the leadership of the CEO and chairman Page 2 of 27

Management Often differentiated from governance as the distinction between being Committed (governance) and Involved (management), management entails the judicious use of means (resources, people, processes, practices et al) to achieve an identified end. It is the means or instrument by which the governance body achieves a result or objective. Management is responsible for execution within the direction set by the guiding body or unit. Management is about planning, building, organizing and controlling operational activities to align with the direction set by the governance body. Put succinctly, IT Governance ensures that enterprise objectives are achieved by: Evaluating stakeholder needs, conditions, and options Directing through prioritization and decision-making Monitoring performance, compliance and progress against agreed-to direction that uses Critical Success Factors to achieve objectives Another way to think about the difference between governance and management is to think about the primary focus of each: Management is primarily focused on the efficient use of resources to achieve strategic (governance-set) objectives. Governance, on the other hand, is primarily focused on detecting, understanding and treating (based on appetite) the risks associated with the achievement of strategic goals and objectives (see paragraph 1.6.2 Risk Management). 1.6 The Need for Enterprise IT Governance The need for Enterprise IT governance has been growing within industry and government for the past decade. Industry realized during the 1990s that the organization chart (chain of command in the Navy), while sufficient to execute business processes, was not suitable for controlling the risk and associated impact and costs of IT. Capability and alignment of IT initiatives drive business strategic objectives. The establishment of an IT Governance structure that is subordinate to, and integrated with, the business addresses IT and business alignment issues and provides a positive accountability matrix for decisions that directly impact the strategic focus of the business. Within DoD, there has been a steady adoption of IT governance structures to better direct and control IT initiatives. The DoD s needs are similar to those of business: control suppliers, cost, and align IT initiatives to the strategic and tactical mission objectives in support of the Warfighter. IT Governance exists to solve IT problems by adjudicating and communicating decisions, allocating authority to make those decisions, and controlling IT initiatives. Operating in the Navy IT environment poses special considerations that can only be addressed with a top-down integrated IT governance model; IT governance must be established at many levels to address the issues at those levels. IT Governance enhances the command and control, and situational awareness (C2/SA) of the chain of command by setting policies and compliance measures that direct and control IT Service Management (ITSM). The publicly available data from the Massachusetts Institute of Technology (MIT) Center for Information Systems Research (CISR) suggests an almost axiomatic relationship between organizations with, and those without, formal IT Governance bodies: high-performing organizations will most often institute formal IT Governance mechanisms that enable the application and monitoring of controls that support the strategic vision and goals while Page 3 of 27

organizations that are not high-performing can trace one or more inhibitors to goal attainment as a lack of IT governance. This proportional relationship between governance and IT further suggests the more mature ITSM processes and services become, the more they drive business service excellence to the customer. Without IT governance bodies to direct, control and evaluate the operational IT community, provide conflict resolution, and set policy, ITSM processes become ineffective; service delivery is not measured, costs are not contained, customer satisfaction with agreed service suffers and the strategic vision is never realized. 1.6.1 Compliance The need for enterprise IT Governance is never more acutely felt than in the area of compliance. Compliance requirements are mandatory, non-negotiable controls on people, processes and technology that require continual review and may be auditable. IT Governance bodies must ensure compliance with all Federal, DoD, and DON policies and regulations (FISMA, DoDI 8500 (Series), DoDI 8510 (Series), OPNAVINST 2201, etc.) Additionally, directives and decisions from higher level governance bodies mandate that each governance body ensure compliance, including standardization. Governance bodies should clearly communicate compliance requirements and enforce compliance measures. Non-compliance should be reported to the next higher-level structure as an exception (see Exceptions in paragraph 2.15.1). 1.6.2 Risk Management Managing risk also underscores the need for enterprise IT Governance. A core responsibility of IT governance lies in addressing risk to the enterprise relative to IT initiatives. Risk exists whether or not detected and recognized and can be either positive or negative. While positive risk is normally associated with capitalizing on emergent or unforeseen opportunities in marketing and market share capture, negative risk typically includes risk to the mission (failure), operations (inefficiencies), compliance (noncompliance), strategic (achievement), service delivery (breaches), information assurance (compromise), manpower (skill attrition), and others. Risk includes anything that could impact the strategic objectives and operational readiness of the organization for which the governance body maintains direction and control. Risk surveillance, detection, evaluation and response (treatment) should be imbedded into the IT governance system. A risk register (Appendix A) should be maintained and appropriate personnel assigned by the governance body to manage IT risk issues within the organization. 1.6.3 Service Execution An important focus of IT governance is Service Execution. Service Execution is responsible for the scheduling, operation and performance of IT-based services which have been committed to the customer, applying available resources to workload demands. The enterprise must detect problems that exist in the delivery of service and then implement governance structures to address and govern those areas. Successful service execution is a result of mission alignment with customer requirements given that a service is a value proposition: a predefined value at or above the level of agreed delivery to the customer based on their expectations. The degree to which the customer perceives adequate or exceptional service delivery has a direct bearing on customer satisfaction. The need for enterprise IT Governance is therefore evident in that IT Governance structures must allocate appropriate decision rights and accountability chains as close to the Page 4 of 27

service point of delivery as possible to ensure the services are defined in customer terms and then successfully delivered and communicated. If services are not clearly defined in customer terms (i.e., through a service catalog with non-technical customer-centric views), customer expectations are made up of past experience, word-of-mouth and/or needs-versus-wants with little relationship between requirements and service level attainment. In those cases, the chances of true customer satisfaction are low. 1.6.4 Performance Measurement In nautical terms, the use of defined measures (bearing, course, speed, drift, draft, etc.) is necessary to determine if the ship is on course, or if a course correction is needed. Similarly, a key component of any governance framework is measurement reporting measurement determines whether IT is meeting the mission objectives through established performance levels and results. Why does enterprise IT Governance need to worry about performance measurement? Primarily because the Federal Acquisition Streamlining Act of 1994 and the Clinger-Cohen Act of 1996 prescribe performance-based and results-oriented decision-making are required for all major government investment in IT. Secondarily, because the management adage if you can measure it, you can manage it holds true for IT Governance where the actual metrics for performance measurements are determined by the stakeholders and customers of the services based on their specific requirements. Governance ensures those measurements are transparent, timely, and receive continuous management oversight for successful evaluation of ITSM value delivery. Performance measurement helps to align the enterprise to a set of common ITSM goals that produce quantitative as well as qualitative results. The measurement lexicon should be in commonly understood language and not tech-speak. Measurement reporting is the primary method by which the enterprise can control IT initiatives and set course corrections when necessary. The ITSMO has developed an Enterprise Service Quality Plan for review by anyone interested in becoming familiar with performance measurement. 1.6.5 Resource Management IT governance is concerned with the effective and efficient management of resources to achieve strategic goals and objectives another risk management vector. Areas that would be in scope in many cases include ensuring manpower availability, utilization and skillsets meet the requirements of the mission. Education and proficiency training of human resources should be addressed and progress tracked. In some organizations, IT governance is responsible for IT budgets, for software and equipment, making proposals to higher level governance bodies and tracking and reporting variance. 1.7 IT Governance System An IT Governance System is a compilation of all governance activities, people, governance bodies, policies, documentation, templates, strategy, charters, and models in a holistic framework that provides visibility and positive command and control of the enterprise. Many of the components of the system are built during creation of the strategy, operating guide development, and project execution activities. Figure 1 illustrates a typical IT governance system. Page 5 of 27

It is important for project team leaders to understand that establishing governance is more than creating a charter; there are multiple moving parts, initiatives and artifacts that have to be created and managed to fully achieve IT governance within an organization. Figure 1: IT Governance System 1.8 IT Governance Project Roles Creating or refining an IT Governance construct is an important undertaking for any organization and one that requires the talents of a proven IT Project Manager with experience in IT Governance to balance the competing priorities of both leadership and management. IT governance project roles are defined in Table 1 below. It is strongly suggested that organizations planning IT governance projects obtain the services of an IT Governance Subject Matter Expert (SME) to ensure all requirements are cataloged and project execution milestones are managed within the timeline established in the Plan of Action. Page 6 of 27

Project Role Responsibilities Executive Leadership Sponsor IT Governance Project Team Lead IT Governance SME Governance Body Membership Typically a DON 0-6, SES or Chief Information Officer. Responsible for initiating the governance project and constantly communicating support to stakeholders. The Sponsor champions and provides oversight to all project activities. The Project Team Lead is accountable to the Sponsor for the successful implementation of the IT governance project plan. The IT Governance Project Team Lead is also responsible for the following: Construction of the project plan Designating project team members Projecting team deliverables (policy, communications plan, strategy document, charter, operating guide and templates. Establishing IT governance portal and designating an administrator Provide ongoing SME support to Sponsor and IT Governance Project Team Chairman, Principal and Adjunct Members designated to serve on the governance body. Table 1: IT Governance Project Roles and Responsibilities 2 in 20 Steps The process flow chart depicted in Figure 2 and the accompanying explanation for each step in this guide are provided to acquaint governance stakeholders with the recommended incremental methodology and best practice for establishing a functional IT Governance framework and organizational construct. It is by no means prescriptive; organizations may selectively incorporate elements of the 20 steps to bolster control and oversight of an existing IT Governance process, or modify the process flow to better fit organizational requirements and align the process with existing seam and interface management. Notwithstanding, IT Governance practitioners should ensure each of the 20 steps are thoroughly reviewed and represented in the framework and process ultimately adopted to mitigate the inevitable organizational and cultural resistance to change that will occur. The 20-step process flow also represents best practice in the sequencing of activities necessary to establish an effective IT Governance construct. However, some of these activities may be executed in parallel to help expedite achievement of short-term goals and shorten the overall project timeline from a project management perspective. Each organization should thoroughly review and understand the steps to determine the best method for implementation. Page 7 of 27

Figure 2: Flow Chart 2.1 Step 1: Obtain Executive Leadership Level Sponsorship 1 Obtain Executive Leadership Sponsorship Obtain executive sponsorship and commitment from the highest level of authority possible. The military environment requires an SES civilian executive or (at a minimum) an O-6 military authority to properly instantiate IT Governance and drive it throughout the organization. If the sponsorship is limited to line level managers or anyone below the executive or command level, you should abandon all thoughts of having effective IT Governance mechanisms. Your sponsor not only sets the resource and outcome expectation of the governance initiative, but enforces organizational compliance to the IT Governance Implementation Project Plan. The executive sponsor must be totally committed, communicate and champion the desire for IT Governance using strategic communications during kick-off, planning, design, transition and maintenance of the IT governance initiative. Page 8 of 27

2.2 Step 2: Executive Leadership Communicates IT Governance Initiative to the Organization 2 Exec. Comm. ITG Initiative to Org Executive leadership sponsor must communicate initial executive level support to the entire organization and stay engaged with stakeholders throughout the initiative. Future Leadership communication is covered in Section 2.9, Develop IT Governance Strategic Communication Plan. It is vital for the executive sponsor to constantly communicate executive level support of the initiative to the organization using a communications plan. The ITSMO has developed a Strategic Communications Plan governing communications with and for its stakeholder community and that can be used as a reference and template for developing a tailored IT Governance communications plan. 2.3 Step 3: Designate the IT Governance Project Manager and Implementation Team 3 Designate ITG PM & Implementation Team The executive sponsor will direct the appropriate authorities to select an IT Governance Project Team project manager. This is the key position in the formulation of the initiative and should have the requisite project management skills and seniority within the organization. The project manager selects the project team members from the IT and business sectors of the organization. A critical duty of the Project Manager is close and continual liaison with the executive sponsor, enabling the sponsor to announce quick-wins to the organization in a timely manner. 2.4 Step 4: Obtain IT Governance SME Support 4 Obtain ITG SME Support Most organizations lack the personnel with the skills necessary to provide the guidance and consultation necessary for IT governance training and implementation. Subject Matter Experts selected by the Project Manager in conjunction with appropriate contracting constraints should have a track record in establishing governance bodies and be Certified in the Governance of Enterprise IT (CGEIT) with ISACA, have experience as COBIT trainers, and have direct traceable experience in the field of IT governance. Based on industry experience, ITSM ITIL Experts without governance training and certifications will not have the requisite experience as IT Governance professionals. 2.5 Step 5: Develop IT Governance Policy 5 Develop ITG Policy The IT governance policy establishes the scope, roles and responsibilities of the IT governance initiative and is a precursor to the charter. The policy should apply to the IT organization, all organization IT projects and IT suppliers. Page 9 of 27

2.6 Step 6: Executive Signs and Promulgates IT Governance Policy 6 Executive Signs and Promulgates Policy The policy must be signed and promulgated by executive leadership. The policy must be made available to all stakeholders on a publically accessible portal. Transparency is a principle of effectives IT governance, all policies should be widely distributed and posted. 2.7 Step 7: Conduct IT Governance Training 7 Conduct ITG Training Typically includes all project team members, executive leadership, and key stakeholders and conducted by the designated SME with special emphasis on the International Standard for IT Governance- ISO 38500, IT Governance Institute resources, COBIT overview, case studies, and the components of IT governance implementation. The outcomes should be a general understanding of IT governance purpose, terms, concepts, and roadmap for the project team. 2.8 Step 8: Construct IT Governance Implementation Project Plan 8 Construct ITG Project Plan Based on the IT governance training and other consultation with SME support, the project manager constructs the IT governance implementation plan and then socializes and refines the project plan with the team and SME support and ultimately communicates the plan to senior leadership. 2.9 Step 9: Establish IT Governance Repository 9 Establish ITG Repository (Portal) There must be a central repository for all artifacts and stakeholder communication. The repository should have all the relevant governance documents, policies, plans and processes. The repository should have a calendar that indicates project team meetings, risk register, and governance board planned meetings, minutes from past meetings. There should be a public section accessible by anyone in the organization to include charters, strategic communications, announcements, and other approved documents in PDF format. A key principle of IT governance is transparency, sharing the charter, plans, communications, risks and decisions with stakeholders. There should be formal access control and request procedures and an effective document management procedure with responsible owners assigned for all documents. 2.10 Step 10: Develop IT Governance Strategic Communications Plan 10 Develop ITG Communications Plan A strategic communication plan must be developed with a lead assigned for implementing the plan. The plan should cover strategic communication frequency, generation, approval, and defining, maintaining distribution lists. The strategic communications are the main source of communicating with stakeholders. Page 10 of 27

Because IT governance conducts self-assessments and strives to improve the system, the strategic communications lead will also be the single point of contact for issues, concerns, and suggestions from the stakeholder community that are relayed to the governance board membership for consideration. 2.11 Step 11: Develop IT Governance Strategy 11 Develop IT Strategy An IT governance strategy document should be developed with SME support to identify the organization s holistic approach to IT governance. The strategy should include: Governance RACI Governance model including future boards, committees, and councils Governance principles Risk management strategy Resource management Strategic alignment with the business or mission Critical Success Factors (CSF) and supporting Key Performance Indicators (KPI) Implementation timelines The ITSMO has developed an IT Governance Strategic Plan template for use by commands and entities as a reference and template for developing a tailored IT Governance Strategic Plan. 2.12 Step 12: IT Governance Strategy Approval 12 Executive Approves and Signs ITG Strategy The Executive leadership approves and signs the IT Governance Strategy. Leadership then proliferates and exercises strong support for the strategy throughout the organization and makes it available for review by stakeholders. 2.13 Step 13: Develop the IT Governance Charter 13 Other than the IT Governance policy, the charter is a formal organization controlled document and is the cornerstone for all IT governance body activities. Develop ITG Charter While all sections of the charter are important, the scope is the most important section because it sets the limits of the IT governance body. There should be a charter for each individual governance body. The suggested sections include: Overview Authority granted (who granted authority) Authority delegated to create subordinate governance bodies Governance body mission Governance body scope Page 11 of 27

Expected outcomes Governance body membership and length of appointment (by functional group or organization) Functions mapped to roles and responsibilities (RACI) Meeting frequency Voting and quorums Reporting requirements Self-assessments and improvements Guiding Principles (refer to ISO 38500 for guidance) The ITSMO has developed an IT Governance Charter template for use by commands and entities that can be used as a reference and template for developing a tailored IT Governance Charter. 2.14 Step 14: Approve and Sign IT Governance Charter 14 Approve & Sign ITG Charter The charter must be signed by executive leadership of the organization, normally the executive sponsor. It s a critical success factor that the charter be signed by the highest level authority possible. The charter should be posted on the IT Governance Portal and available to stakeholders in a public folder. 2.15 Step 15: Develop Operating Guide 15 Develop Operating Guide The operating guide is the handbook for the how the governance system operates. This could be one board or multiple governance bodies within the organization s governance system. It provides the details of the governance system decision making and governance processes. The processes should include: Strategic communication - how and when the governance body communicates Exceptions - how problems (exceptions) are escalated (see paragraph 2.15.1) Stakeholder request - how the governance body responds to stakeholder requests Portal access - how stakeholders are approved and maintain access to the governance body portal Meeting arrangements - what needs to do done when planning governance meetings Decision making - how the governance board conducts meetings and makes decisions, voting and quorums Operational IT governance and self-assessments - what happens between meetings The future governance body chair will sign this document as well as all other future documents, plans, and policies after governance body approval. Page 12 of 27

2.15.1 Exceptions Exceptions are problems that need resolution decisions or other action by the governance body and flow up the IT governance model (see Appendix A for example) and decisions made by the governance bodies to those exceptions flow down the governance model in response. Exceptions may include issues such as: Resource management Conflict resolution Policy exceptions Cross-functional seam management problems Performance measurement including establishing metrics to meet service level requirements Risk and compliance Strategic and mission alignment Standardization of ITSM terms, processes, service definition, policies, roles, and skills 2.16 Step 16: Appoint IT Governance Chair 16 The senior executive sponsor formally appoints a chair of the governance body via an appointment letter. The appointment letter should be aligned with the charter Appoint ITG Chair directing the chair to assume control of the governance body. The chair begins identifying suitable membership with the functional groups as indicated in the charter. The chair is accountable to the executive sponsor for the successful operation of the governance body within the scope of the governance body charter. 2.17 Step 17: Issue Letters of Designation 17 Issue Letters of Designation The governance chair, using templates from the IT governance SMEs, activates Principal members to the body by letter of designation signed by the chair. The selection of Principal members is determined by the charter which will detail the organizations and functional groups with representatives on the governance body. It is the responsibility of the leadership in those organizations and groups to select members. The ITSMO has developed a Letter of Designation template that can be adapted for use by stakeholders, and is available on the ITSMO Portal. 2.18 Step 18: Train the IT Governance Body Members 18 Train the ITG Body Members There must be governance body training to all voting members including the governance and decision-making processes, meeting arrangements, communication, portal access, exceptions, and using the operating guide. Additionally, members should understand the governance strategy, and charter. Page 13 of 27

There should be separate specialized training provided by a certified and experienced IT Governance SME for both the Scribe and the Chair. Chairman training - The IT governance body Chairman has to be trained separately using the procedures in the operating guide. The Chair must understand how to conduct the meetings, and the importance of formality of meetings and consistency of the meeting schedule. IT governance body meetings need to have a battle rhythm that ensures the business of the body is carried out in an effective and efficient manner, get them in, and get them out as quickly as possible. The attendees to such meetings are important people and the meetings should have a definite start and stop time with most of the tasks such as reviewing minutes, completed before the meeting using the Meeting Prerequisites process. The Chair must understand the difference between a regular staff meeting and a governance body meeting. During the meeting, only Principal Members are allowed to discuss agenda items unless they have requested a source outside the body to present expert information. Visitors should only attend the specific section of the meeting that they are required. Adjunct Members attend the meetings but have no part in the proceedings; any input from Adjunct Members should have been communicated to a Principal Member prior to the governance body meeting. The meeting rules should be enumerated in the charter. The Chair must use a condensed form of Robert s Rules of Order. These rules, first published in 1876, were designed for use in ordinary societies rather than legislative assemblies, and are the most commonly adopted parliamentary authority among societies in the United States. The Chair should use the rules most pertinent to the conduct of official board deliberations to ensure the orderly conduct of presentations, voting, recording, and review of new and old business, et al. Scribe training - The scribe records the minutes, sends minutes out for review, posts minutes and generally controls the meeting invites and schedule. The Scribe also makes the call for agenda items and formulates, distributes the agenda and exhibits in advance of the meeting. Meeting minutes, agendas and exhibits should be posted on the IT governance body repository with links sent to principal and adjunct members. The Scribe is a key player in the pilot meeting (Step 19). 2.19 Step 19: Conduct Pilot Meeting 19 SME support will conduct a mock governance board to ensure all members understand what needs to be done before a meeting, during the meeting and Conduct Pilot Meeting responsibilities of each member. This should be a formal mock meeting using a revised form of Roberts Rules and testing out the meeting arrangements process. An assessment should be conducted to revisit areas of remedial training. 2.20 Step 20: Initial Formal IT Governance Meeting 20 Initial Formal ITG Meeting Conduct the initial governance body meeting using the charter to keep in scope and ensure all participants follow the governance and decision-making processes in the operating guide. It s important for success that meetings are scheduled six months in advance, always on the same time of the month, use the same meeting Page 14 of 27

arrangements (room, dial-in, VTC, etc.), so the members keep a rhythm of meetings and activities. 2.21 Maintain and Improve the IT Governance System The operating guide will provide the Operational IT Governance procedures for maintaining and improving the governance system. These procedures or processes provide the decisionmaking and governance process or procedures to operate and improve the governance system and take advantage of lessons learned so that necessary refinements and improvements can be implemented. 3 IT Governance Implementation Best Practices The methodology for implementing IT governance should be based on industry best practices and knowledge based of thousands of successful implementations. The IT Governance Institute, in response to demand signals from government and the business community, has collected a world-wide repository of IT governance case studies, best practices, and survey information on how high performing organizations excel in getting their IT departments to focus on the government and business strategic objectives. Lessons learned have also been a big contribution to the repository and help develop best practices in governance. Any IT governance initiative should use the experience and best practices of established governance initiatives of other organizations. Setting up IT governance isn t as simple as executing a charter and scheduling meetings. Therefore, governance SMEs should aid in the strategy, planning, IT governance system build, and training. The SMEs will phase out as the IT governance system becomes operational but should remain on call for support. Best practices for establishing governance systems include: The IT governance system should be implemented using a project-team phased approach o A phased approach increases control and reduces risk of failure o A phased approach allows continuous improvement and transfer of knowledge from one phase to another o A big bang approach requires buy-in and commitment from the entire organization at the same time, whereas a phased approach requires commitment from a smaller number of people and is incrementally spread across the organization. Unless the organization is unusually small and therefore easily managed from a single vantage point, a big bang approach is not recommended. Involve stakeholders in the implementation, they can help with: o Compliance and risk issues o Alignment with industry best practices and standards o Dependence on suppliers for outsourced services Other considerations in planning the project: o IT Governance must be chaired by senior leadership (senior as possible) o IT Governance structures should exist at many levels o Should be top down with decision rights and accountability allocated down and proposals and exception flowing up Page 15 of 27

o Should sustain the organizational mission and objectives o Should be based on international standards and good practices o Each body should have its own charter and internal processes (communications, decision making, conflict resolution, etc.) o IT Governance bodies should have specific interactions with other governance bodies, communication is a critical success factor o Governance bodies should be principle based (see ISO/IEC 38500 International Standard; Corporate Governance of Information Technology) o IT Governance bodies allocate authority and decision rights to lower level bodies with each body signing and executing the charters for subordinate bodies. o Letters of designation for IT governance body members should be initiated by the Chairman of the body with the authority to make assignments as indicated in the charter. o All IT governance activities should be transparent and communicated to stakeholders Page 16 of 27

References 1. ISACA: https://www.isaca.org/pages/default.aspx 2. IT Governance Institute: http://www.itgi.org/ 3. ISO/IEC 38500:2008: http://www.38500.org/ 4. COBIT 5: http://www.isaca.org/cobit/pages/default.aspx 5. Implementing and Continually Improving IT Governance: http://www.isaca.org/knowledge- Center/Research/ResearchDeliverables/Pages/Implementing-and-Continually-Improving-IT- Governance1.aspx 6. ITSMO Enterprise Service Quality Plan: https://usff.portal.navy.mil/sites/fccc10f/cio/1/itsmo/shared%20documents/itsmo_enterprise_service_quality_plan.pdf 7. Taking Governance Forward Mapping Initiative: http://www.isaca.org/journal/past- Issues/2009/Volume-1/Documents/jpdf0901-in-summary.pdf 8. ITSMO Strategic Communications Plan: https://usff.portal.navy.mil/sites/fccc10f/cio/1/itsmo/shared%20documents/itsmostrategiccommunications_v1.1.docx 9. ITSMO IT Governance Charter Template: https://usff.portal.navy.mil/sites/fccc10f/cio/1/itsmo/shared%20documents/governance/templates%20and%20examples/go vernance_charter_template_v1.docx 10. ITSMO IT Governance Strategic Plan Template: https://usff.portal.navy.mil/sites/fccc10f/cio/1/itsmo/shared%20documents/itsmo_strategic_plan_template.docx 11. ITSMO Operating Guide: https://usff.portal.navy.mil/sites/fccc10f/cio/1/itsmo/shared%20documents/itsmo_operating_guide.pdf Page 17 of 27

Appendix A Governance Actions, Definitions, and Examples As an adjunct to the information already presented, the following actions, definitions and examples help to illustrate the cohesiveness of the IT Governance System through actions and interactions that are required to ensure a functioning and capable construct. The information presented in the following paragraphs is not all-inclusive; rather it is representative of the activities performed by a governance body that has been established on good practices. IT Governance Body Actions Direct: Top down policies, strategies and directives ( thou shall ). Direct includes: Process and service ownership Establishment of subordinate governance bodies through charters Detailed DON/DoD policies that map to controls Real time and historical performance data reflecting intent and output of process activities Institutionalization of a process and service improvement methodology Evaluate: Comparing the values of results versus expected results. Baselines and metrics should be established for comparative analysis of reported information. Reporting is typically in the form of balanced scorecards to governance bodies. Monitor: The methods and activities in which information about the use of systems, networks, applications and information is captured and interpreted. Control: The mechanisms of the governance bodies ensure the achievement of mission objectives through responsible use of resources, appropriate management of risk, costs and alignment of IT with the mission of the larger organization. Control includes: Process and service management Service specifications and catalogs Agreement structures, i.e., Service Level Agreements (SLA), Operational Level Agreements (OLA), Underpinning Contracts (UC) and Memoranda of Understanding (MOU) Communicating: Determining who needs to know what and when down and across the organization and applies to all levels of governance. Effective communication is a critical success factor for establishing a governance system. Actions Carried Out by Stakeholders Execute: To carry out and accomplish the assigned tasks of processes, policies, directives, and strategies. This activity ensures the Execute includes: Process and service operations Appendix A-1

Activity-level processes and their tasks and SOPs Task-level processes and their SOPs and work instructions Operating integrated ITSM tools Operational Control: The daily activities of operations management to ensure objectives are achieved. The planning, building, organizing, and controlling operational activities to align with the direction set by the governance body, e.g., functional groups, process or service owners, Change Advisory Boards (CAB) and Service Desk. Navy ITSMO Operating Guide Governance systems must have an operating guide that includes the procedures for operating the governance system. There should be SOPs for all facets of the governance system including decision making and governance procedures (see Section 2.15). Especially when establishing governance in an organization, there should be no ambiguity about how the governance system operates. The operating guide is the handbook for all participants and should be updated on a regular basis. The Navy ITSMO Operating Guide is a good example available to Navy stakeholders and organizations for guidance in developing their own operating guide. The key objectives of the Operating Guide include: Provide standardized methods and procedures to be used for the efficient and prompt handling of business needs Minimize variation and promote quality through consistent implementation of the procedures Promote compliance with Navy and DoD policies and directives Ensure that all relevant governance and decision-making processes are properly recorded, reviewed, assessed, and approved Minimize operational risks and duplication of efforts Ensure that all staff are trained and are capable to execute against the implemented SOPs IT Governance System Roles The following table defines the roles necessary for the governance system after the project is completed and should be detailed in the strategy, charter and operating guide. Role Responsibilities Chairman The governance body chairman is granted authority by the governance charter to conduct the daily operations and chair scheduled meetings of the governance body. The chair has overall accountability for the successful operations of the body within the scope of the charter. The chair is a voting member and the single point Appendix A-2

Role Responsibilities of contact for other governance bodies and external groups. Principal Member Adjunct Member Scribe Portal Administrator Stakeholders Voting members selected by stakeholder organization leadership or by other means indicated in the charter. The composition and duties of Principal Membership is enumerated in the charter. Non-voting members attending scheduled governance body meetings for situational awareness (SA). Duties of Adjunct Members are detailed in the charter. Typically Adjunct Members don t participate in governance board meeting discussions unless prompted by a Principal member. A key position necessary for governance bodies operation. Duties are in the charter and should include: Maintaining a stakeholder registry Preparing agenda Recording and distributing meeting minutes Meeting arrangements Meeting Prerequisites Maintaining communication with members and stakeholders is critical, the Portal Administrator ensures the governance body meeting schedule, minutes, and charter are available to both. Additionally, there will be a workspace provided for exhibits and artifacts necessary for conducting governance body meetings. Those contacts internal and external to the organization that are affected by governance board decisions. Stakeholder communication should be two-way; they are the major source of governance body issues to resolve. Table 2: IT Governance System Roles and Responsibilities IT Governance Model Example Any organization that establishes IT governance will have to create a governance model in their IT governance strategy indicating the lines of communication, proposals, decisions, exceptions and most important cascaded delegation of authority. In this example the Enterprise ITSMO has created subordinate boards, committees and councils all with their own charters and delegated authority. Governance bodies must also consider higher level governance bodies that have authority over their actions and handle their governance exceptions (problems requiring resolution/ decisions) and proposals. The following is a notional governance model example. Appendix A-3

Figure 3: IT Governance Model [Example] Appendix A-4

Appendix B Risk Register IT Service Management Office (ITSMO) Version 1.0_23 September 2013 Appendix B