Download IT Governance: Aligning IT with Business Objectives and Measuring IT Performance and more Summaries Accounting in PDF only on Docsity!
3.1. IT Governance - Alignment of IT with Business Objectives In a survey conducted by the IT Governance Institute, 94% of participating organizations considered IT to be very important to the overall organization strategy. The same survey noted that the higher the level of IT governance maturity, the higher the return on IT investment. To achieve IT governance maturity and a higher return on IT investment requires a close partnership between IT and business management. Close alignment of the IT strategy with the business strategy is essential to the success of a well-functioning partnership. It is important for the organization to understand the business it supports and for the business to understand the technology it uses. For this to happen, the organization must have a seat at the table with the Chief Executive Officer (CEO) and other business leaders. Communicating with senior management is not an easy task as IT is only a small portion of the issues faced by organizations today. IT leaders must be seen as valuable members of the team, and not just as service providers. For this to happen, the Chief Information Officer (CIO) and IT management must first seek to understand the business issues and offer proactive solutions to the organization’s needs. IT management must also have a clear understanding of their current strengths and weaknesses and be able to communicate this information to the business management. IT governance provides the structure to achieve alignment of the IT activities and processes with business objectives, incorporate IT into the enterprise risk management program, manage the performance of IT, ensure the delivery of IT value, and make certain of regulatory compliance and adequate implementation of internal controls. Effectively managing an organization requires a solid foundation of governance and control over IT resources. Governance guides the decision rights, accountability, and behaviors of an organization. This is controlled through a series of processes and procedures that identify who can make decisions, what decisions can be made, how decisions are made, how investments are managed, and how results are measured. Implemented effectively, IT governance allows IT activities and processes to be in alignment with the direction set by the governance body to achieve the enterprise objectives. Delivering value from IT is a joint effort between business and IT to develop the right requirements and work together for successful delivery of the promised benefits. To be effective, the Board of Directors (Board), an organization’s governing body including the audit committee to whom the chief audit executive may functionally report, must understand the current state of IT and actively participate in establishing the future direction of IT. Effectively communicating with the Board about IT is not always easy. IT is a very complex environment, which is difficult to explain to non-IT professionals. In addition, many members of the Board or senior management will have their own issues and a vested interest in certain IT projects and services that may influence the decision- making process. Getting agreement up front on the measures of IT performance will go a long way toward focusing senior management on the key issues in managing IT.
Measuring both business and IT performance will also help hold both parties accountable for the success of IT projects and service delivery. 3.2. IT Governance Frameworks Three widely recognized and best practice IT-related frameworks include: IT Infrastructure Library (ITIL), COBIT, and the British Standard International Organization for Standardization (ISO)/International Electrotechnical Commission 27002 (ISO/IEC 27002). These three frameworks provide organizations with the means to address different angles within the IT arena. ITIL ITIL was developed by the United Kingdom’s Cabinet Office of Government Commerce (OGC) as a library of best practice processes for IT service management. Widely adopted around the world, ITIL provides guidelines for best practices in the IT services management field. Specifically, an ITIL’s service management environment effectively and efficiently delivers business services to end-users and customers by adhering to five core guidelines related to: Strategy—guidelines or best practice processes to map the IT strategy with overall business goals and objectives. Design—best practice processes (or requirements) implemented to guide toward a solution designed to meet business needs. Transition—aims at managing change, risk, and quality assurance during the deployment of an IT service. Operation—guidelines or best practice processes put in place to maintain adequate and effective IT services once implemented into the production environment. Continuous Improvement—constantly looks for ways to improve the overall process and service provision. The ITIL framework should be chosen when the goal of the organization is to improve the quality of the IT management services. The ITIL framework assists organizations in creating IT services that can effectively help to manage the daily tasks, particularly when the focus is on either customer or end-user. COBIT COBIT is an IT governance framework that helps organizations meet today’s business challenges in the areas of regulatory compliance, risk management, and alignment of the IT strategy with organizational goals. COBIT is an authoritative, international set of generally accepted IT practices or control objectives, designed to help employees, managers, executives, and auditors in: understanding IT systems, discharging fiduciary responsibilities, and deciding adequate levels of security and controls. COBIT supports the need to research, develop, publicize, and promote up-to-date internationally accepted IT control objectives. The primary emphasis of the COBIT
Guidelines for implementing information security management (i.e., initiating, implementing, maintaining, and improving information security) for inter- sector and inter-organizational communications. (ISO/IEC 27010:2015) ISO/IEC 27013:2015. Guidance on the integrated implementation of an information security management system, as specified in ISO/IEC 27001, and a service management system, as specified in ISO/IEC 20000-1. Using the family of standards above will assist organizations to manage the security of assets, including, but not limited to, financial information, intellectual property, employee details or information entrusted by third parties. The purpose of the ISO/IEC 27002 framework is to help organizations select proper security measures by utilizing available domains of security controls. Each domain specifies control objectives that provides further guidance on how organizations may attempt to implement the framework. The ISO/IEC 27002 framework should be chosen when IT senior management (i.e., CIO) targets an information security architecture that provides generic security measures to comply with federal laws and regulations. A Joint Framework As seen, ITIL, COBIT, and the ISO/IEC 27002 are all best-practice IT-related frameworks to regulatory and corporate governance compliance. A challenge for many organizations, however, is to implement an integrated framework that draws on these three standards. The Joint Framework, put together by the IT Governance Institute (ITGI) and the OGC, is a significant step leading into such direction. Aligning ITIL, COBIT, and ISO/IEC 27002 not only formalizes the relationship between them but, most importantly, allows organizations to: implement a single, integrated, compliance method that delivers corporate governance general control objectives; meet the regulatory requirements of data and privacy-related regulation; and get ready for external certification to ISO 27001 and ISO 20000, both of which demonstrate compliance. Implementing a joint framework leads organizations toward effective regulatory compliance and improves their competitiveness. Implementation of the frameworks just discussed is paramount in addressing relevant areas within the IT field. Of equal importance is the establishment of metrics to measure IT performance. These metrics should not only be in place but also regularly assessed for consistency with the goals and objectives of the organization
3.3. IT Performance Metrics Developing a measurement process takes time and resources to implement. To be successful, both the organization and IT management must be in full support. They should also be consulted as to the types of measurements they believe will be most beneficial. The areas to be measured should be closely aligned to the objectives of the organization. It makes no sense to measure something that no one cares about. Management will be most supportive when it sees the metrics applied to the areas that are most in need of improvement. Typically, the areas that are measured have a tendency to attract focus and improve over time. A critical metric set—the few key metrics that are critical to the successful management of the function—should be identified and applied to the environment. Once the critical metric set has been identified, personnel in the areas that are to be measured should be consulted, and a set of measurements that will provide meaningful data should be devised. Personnel responsible for doing the work should select the best means to measure the quality and productivity of their work. Metrics that are developed should only be applied to data that are both measurable and meaningful. It is useless to waste time on developing measures on areas that do not fall within the critical metric set, as these measures will not satisfy the needs of management. After initial implementation of the first measurements, it is important to show the results. Data should be compiled over a predefined period, and results should be provided to management on a regular basis. As the metrics database grows, the reliability of the data will increase and the usefulness of the reports to management will also increase. Although it is quite easy to get management to support metrics (if they are informed as to what metrics are and the impact they can have), it is also difficult to get management support if they are skeptical or have not been educated on the matter. In this situation, a different task should be taken. First, management must be made to realize that it is next to impossible to manage what cannot be or is not measured. The easiest way to strengthen this argument is to back it up with some sample metrics. Second, survey data from other organizations can be compiled and presented to encourage adoption of a metrics frame of mind. For sample metrics, identify several areas that can be measured and provide reports on these areas. Again, it is important to provide short-term payback to show results and continue to produce reports showing progress in thoseareas. Once all metric data are gathered, it must be presented in a format that is easy for the reader to understand. A combination of graphics and text is important to illustrate the context and performance trends. The reports must stress the progress in the areas selected for measurement. This is a key point in that it shows short-term results in the long-term measurement process. Areas of improvement must be stressed to show that the process is working. When management has accepted the concept of metrics, it is time to begin implementing some measurements in critical areas. During this step of the measurement
IT-Generated Business Value Measuring IT performance is dependent on the strategy and objectives of the organization. However, it comes down to the business value IT is delivering to the organization. In general, IT provides value through delivering successful projects and keeping operations running. If an organization is looking for reduced costs, it may measure the cost of IT and the business function cost before and after automation. If an organization is focused on growing new markets, it may measure the time to market for new products. IT adds value to an organization through project and service delivery. IT projects deliver business value by automating business processes. As these projects are enabled by technology, IT is adding value to the organization. Measuring the amount of benefit delivered from these projects is one way of representing the value of IT. Automating business processes typically results in higher IT costs and lower business costs (or higher revenue). An original application development project’s business case made certain assumptions about the cost and benefit of the new application. Although the project’s business case will be validated as part of the post-implementation review, it is important to continue measuring the ongoing costs over time. There may be a perception that IT costs are growing without the recognition that business costs should be dropping or revenue growing by a greater margin. It is important to keep this information in front of the Board and senior management as a reminder of the value of IT. Delivering the promised value is the responsibility of both IT and the business functions. Reporting on the actual results holds both parties accountable for the expected results. Another measure of value is how quickly the organization can respond to new business opportunities. If IT has been successful at implementing flexible infrastructure, applications, and processes, it will be able to respond to business needs. IT services deliver value by being available for the organization as needed. Organizations rely heavily on automated systems to function on a day-to-day basis. The failure of these systems results in loss of revenue or increased expense to the organization. A more positive perspective is the amount of revenue or productivity generated by these systems. As part of the strategic and operational planning process, an organization must decide the level of service required of IT. The service levels will depend on the type of organization, application portfolio, services provided by IT, and the objectives of the organization. An online auction house that depends on 24/7 service availability for its existence will have a different need than a brick-and-mortar grocery store. Metrics to measure business value may address the functions of the IT department, value generated by IT projects, management of IT investments, and sales made to outsiders or third parties. These metrics may include: percentages of resources devoted to strategic projects; perceived relationship between IT management and senior-level management; computation of traditional financial evaluation methods, such as return on investment (ROI) and pay-back period; actual versus budgeted expenses; percentages over/under overall IT budget; and revenues from IT-related services and/or products; among others.
Future Orientation Future orientation is concerned with positioning IT for the future by focusing on the following objectives: (1) training and educating IT personnel for future IT challenges; (2) improving service capabilities; (3) staffing management effectiveness; (4) enhancing enterprise architecture; and (5) researching for emerging technologies and their potential value to the organization. A sample mission for this perspective would be to deliver continuous improvement and preparing for future challenges. Sample metrics within this perspective would address the following: Continuously improving IT skills through education, training, and development. Delivering internal projects consistent to plan. Staffing metrics by function (e.g., using utilization/billable ratios, voluntary turnover by performance level, etc.). Developing and approving an enterprise architecture plan, and adherence to its standards. Conducting relevant research on newly-emerging technologies and their suitability for the organization. Operational Efficiency and Effectiveness The operational efficiency and effectiveness perspective focuses on the internal processes in place to deliver IT products and services in an efficient and effective manner. Internal operations may be assessed by measuring and evaluating IT processes in areas, such as quality, responsiveness, security, and safety, among others. Other processes to be considered may include hardware and software supply and support, problem management, management of IT personnel, and the effectiveness and efficiency of current communication channels. Measurements of the operational efficiency and effectiveness perspective may result in useful data about the productivity of different internal processes as well as resources. Metrics here can yield productivity information about the performance of technologies and of specific personnel. End-User Service Satisfaction End-user satisfaction should play an important role in the overall evaluation of the IT department or function. The end-user, for IT purposes, may be internal personnel or external (e.g., users accessing inter-organizational IT systems or services, etc.). From an end-user’s perspective, the value of IT will be based on whether their jobs are completed timely and accurately. For instance, managers rely on IT-generated reports to make
systematic framework like the IBS that is based on goals and measures that have been agreed upon in advance will likely benefit management of both IT people and projects. All metrics included in the IBS should be quantifiable, easy to understand, and ones for which data can be collected and analyzed in a cost-effective manner. A sample IBS is illustrated in Exhibit 5.1 below. Mission Objectives Metric to Measure Target Values/Initiatives To contribute to the value of the business IT-GENERATED BUSINESS VALUE Business value and strategic contribution of IT department Completion of strategic initiatives Percentage of resources devoted to strategic projects Perceived relationship between IT and management and senior- level management Business value of IT projects Business evaluation based on financial measures (ROI, payback period, etc.) Management of IT investment Actual versus budgeted expenses Percentage over/under overall IT budget Sales to outsiders or third parties Revenues from IT-related services and/or products To deliver continuous improvement and prepare for future challenges FUTURE ORIENTATION Knowledge management Completion of education, training, and development
courses Percentage of positions with qualified backup personnel Expertise with specific technologies Service capability improvement Deliver internal projects to plan: Internal process improvement Organization development Technology renewal Professional development Staff management effectiveness Staff metrics by function: Utilization/billable ratios Voluntary turnover by performance level Percent of staff with completed professional performance plans Enterprise architecture evolution Development/approval of enterprise architecture plan (EAP) System adherence to EAP and IT standards Emerging technologies research Percent of IT budget allocated to research of new and updated technologies To deliver IT products and services that are efficient and effective OPERATIONAL EFFICIENCY AND EFFECTIVENESS Process excellence Process maturity rating and performance (i.e.,
performance Measuring and assessing IT activities from multiple points of view or perspectives, say through an IBS for instance, help in evaluating the efficiency, effectiveness, and potential of those activities. Such scorecard permits managers to assess the impact of IT systems, applications, and activities on the factors considered important to the organization. 3.4. Regulatory Compliance and Internal Controls One of the key processes that organizations need to manage is compliance with laws and regulations. The sheer number of laws and regulations applicable to a global organization can be overwhelming. It can take a dedicated team to sift through all the financial, security, privacy, and industry-specific regulatory requirements to determine the impact on processes and information systems. Fortunately, many of the IT requirements are satisfied with the implementation of the controls outlined in COBIT. There are tools that can help an organization identify laws and regulations and track the control processes implemented to address them.* There are also tools that can help with mapping controls to regulatory requirements (e.g., SOX of 2002 etc.). These tools provide key information for auditors, regulators, and user groups to determine where controls are effective for testing, and which are the gaps that will need to be filled. IT should work together with the organization’s compliance officer to ensure that it is aware of new requirements and report on the resolution of existing requirements. As mentioned earlier, the implementation of SOX created greater awareness and focus on IT controls. Although there is some debate on the value of SOX to enterprises, there is no doubt that it has increased investment in IT general controls and application controls in many organizations. SOX compliance has forced many organizations to review existing applications that process financial transactions with an eye to controlling these processes. Business and IT professionals now need to work together in developing control requirements that can be incorporated into the development of applications. Having more IT controls implemented in application systems translates into more opportunities for IT auditors to perform controls assessment work! Cases such as the above have prompted organizations to review and revise their existing game plan or IT strategy so that they not only comply with regulatory agency bodies like SOX but also meet the constantly-changing requirements of their business environments. 3.5. IT Strategy IT has become the critical ingredient in business strategies as both enabler and enhancer of the organization’s goals and objectives. Organizations must be positioned
to take best advantage of emerging opportunities while also responding to the global requirements of the twenty-first century. A strategy is an important first step toward meeting the challenging and changing business environment. A strategy is a formal vision to guide in the acquisition, allocation, and management of resources to fulfill the organization’s objectives. An IT strategy, for example, should be developed with the involvement of the business users to address the future direction of technology. The IT strategy or IT strategic plan formally guides the acquisition, allocation, and management of IT resources consistent with goals and objectives of the organization. It should be part of an overall corporate strategy for IT and should align to the business strategy it supports. The technology strategy needs to be in lockstep with the business strategy to ensure that resources are not wasted on projects or processes that do not contribute to achieving the organization’s overall objectives. This alignment should occur at all levels of the planning process to provide continued assurance that the operational plans continue to support the business objectives. Supporting the strategy, architectural standards and technology planning ensure that investments in IT lead to efficient maintenance and a secure environment. IT governance (discussed early in the chapter) provides the structure and direction to achieve the alignment of the IT strategy with the business strategy. Close alignment of the IT strategy with the business strategy is essential to the success of a well- functioning partnership. The most effective strategy will be determined by the combination of the environment, culture, and technology used by an organization. IT management involves combining technology, people, and processes to provide solutions to organizational problems. IT must take the lead in gathering information to incorporate organizational needs with technological feasibility to create an overall strategy. An IT strategic plan provides a roadmap for operating plans and a framework for evaluating technology investments. The IT strategy supports the business strategy to ensure that technology resources are applied to meeting business objectives while minimizing ongoing support costs. This task sounds fairly simple, but according to a Gartner Group report, “95% of enterprises lack a well-defined business strategy.” In most cases, the business strategy has to be assumed based on conversations with business executives. The first step in defining an IT strategic plan is to under-stand the business objectives, whether stated or implied. These objectives guide management in evaluating investments, assessing risk, and implementing controls. So, why should IT have a strategic plan if the organization has none? The main risk of not having an IT strategic plan is the increased cost of technology. If there is no roadmap, organizations run the risk of investing in technology that increases costs but adds no business value. According to the IT Governance Institute, aligning IT investments with business strategies is the biggest single-issue organizations face.
- Maintain security of all data proprietary to the organization, and provide for the complete backup of all computer systems in case of system failure or disaster.
- Procure, install, and maintain all computer equipment (hardware and software) and all other products and supplies necessary to keep computer systems operable and to fulfill managements requests for computer support.
- Act as liaison between hardware/software suppliers and organization management for informational updates and problem resolution.
- Provide employees with top quality, consistently available computer service, support training and maintenance of all computer systems used throughout the organization.
- Assess new equipment, software, and processes continuously, recommend changes as appropriate and supervise their installation. As part of the IT Steering Committee, the CIO oversees the IT strategy and the computer systems required to support the objectives and goals of the organization. The IT Steering Committee helps ensure integration of the business objectives and goals with the IT strategy. To attain this, the IT Steering Committee tasks may involve: Reviewing business and technology strategies and plans. Prioritizing major development projects. Developing communication strategies. Reviewing development and implementation plans for all major projects. Providing business decisions on major design issues for all major projects. Monitoring status, schedule, and milestones for all major projects. Reviewing and approving major change requests for all major projects. Reviewing project budgets and ROIs. Resolving conflicts between business and technology groups. Monitoring business benefits during and after implementation of major projects. Once an IT strategy has been established by the IT Steering Committee, it must be communicated to all levels of management and to the users to ensure alignment and reduce conflict. 3.7. Communication Effective communication is critical to coordinate the efforts of internal and external resources to accomplish the organization’s goals. Communication should occur at multiple levels, starting by having internal weekly staff meetings. This should cover the
employees within the department. Communication should also take place via town hall meetings, which are typically attended by (and addressed to) all employees in the organization. Communication between IT and the organization, particularly of matters such as IT strategy, goals, etc., should be timely and consistent. Communication should also include all (external) business partners and customers related to the organization. After the completion of the strategic planning process, the business and IT goals must be translated into actionable goals for the coming year. This is performed through a process called operational planning. 3.8. Operational Planning Once there is an understanding of the organization’s objectives and IT strategy, that strategy needs to be translated into operating plans (also called operationalization). The annual operating planning process includes setting the top priorities for the overall IT function as well as for individual IT departments, including developing their annual budget, creating resource and capacity plans, and preparing individual performance plans for all IT staff. Operating plans will also identify and schedule the IT projects that will be initiated and the IT service levels expected. Delivery of these plans should be controlled by a series of governance processes. These governance processes, listed in Exhibit 5.2, are needed to ensure the effective use of resources and delivery of IT projects, as well as proper alignment with business objectives. This includes processes to: manage project demands, initiate projects, perform technical reviews, procure products and manage vendors, and control financial investments. These processes are explained next. Exhibit 5.2. Governance processes
right solution is selected, that it integrates effectively with other components of technology (e.g., network, etc.), and that it can be supported with minimal investments in infrastructure. One way to control technology solutions is to implement a Technical Steering Committee (not to be confused with an IT Steering Committee) with representatives from the various technical disciplines and enterprise architects. A Technical Steering Committee provides a control mechanism for evaluating and approving new technology solutions. A formal technology solution evaluation process includes the assessments of: Technical feasibility Alternative technologies Architecture In-house skill compatibility Existing environments/replacements Implementation, licensing, and cost considerations Research and analyst views Vendor company profile and financial viability Procurement and Vendor Management Processes and procedures should be in place to define how the procurement of IT resources, including people, hardware, software, and other services will be performed. IT procurement involves strategic and administrative tasks, such as defining requirements and specifications; performing the actual IT service or resource acquisition (only after assessing and selecting the appropriate vendor); and fulfilling contract requirements. Vendor selection usually involves the evaluation of three to five vendors. The IT Steering Committee regularly evaluates IT vendors and suppliers and makes the ultimate decision of which vendors or suppliers to bring on board. Financial Management In the financial management governance process, potential investments, services, and asset portfolios are evaluated so that they get incorporated in cost/benefit analyses and ultimately within the budget. IT budgeting, for instance, considers existing IT products, resources, and services in order to assist the planning of IT operations. Budgeting is a strategic planning tool (typically expressed in quantitative terms) which aids in the monitoring of specific activities and events. Budgeting also provides forecasts and projections of income and expenses which are used strategically for measuring financial activities and events. Budgets are useful to management when determining whether specific revenues/costs activities are being controlled (i.e., revenues being higher than budget estimates or costs being lower than estimated budget amounts). Budgets lead how organizations might perform financially, operationally, etc. should certain strategies and/or events take place.
3.9. Conclusion IT governance establishes a fundamental basis for managing IT to deliver value to the organization. Effective governance aligns IT to the organization and establishes controls to measure meeting this objective. Three effective and best practice IT-related frameworks commonly used by organizations are ITIL, COBIT, and ISO/IEC 27002. These three frameworks provide organizations with value and the means to address different angles within the IT arena. Realizing the value of IT requires a partnership between management and IT. This partnership should include managing enterprise risk, as well as establishing measuring performance assessments consistent with existing strategies and goals. These performance measures should be aligned to the objectives of the organization, result in accurate and timely data, and report needs in a format that is easy to understand. An example of a common tool to measure IT performance is the IBS. An IBS provides an overall picture of IT performance aligned to the objectives of the organization. It specifically measures and evaluates IT-related activities, such as IT projects and functions performed by the IT department from perspectives like IT-generated business value, future orientation, operational efficiency and effectiveness, and end-user service satisfaction. Establishing effective controls in IT and ensuring regulatory compliance is also a joint effort. Well-controlled technology is the result of an organization that considers controls a priority. Organizations need to include controls in system requirements to make this happen. Internal and external auditors can add tremendous value to an organization by providing independent assurance that controls are working as intended. With the implementation of SOX, the knowledge and skills of auditors is a valuable resource to any organization. IT auditors can assist the organization in documenting and evaluating internal control structures to comply with SOX or other governance models. A strategy is an important first step toward meeting the challenging and changing business environment. An IT strategic plan is a formal vision to guide in the acquisition, allocation, and management of IT resources to fulfill the organization’s objectives. One way to achieve alignment is to involve business leaders in the development of the IT strategic plan via establishing an IT Steering Committee. The committee helps ensure integration of the business and IT strategic plan. To ensure the effective use of resources and delivery of IT projects, as well as proper alignment with business objectives, organizations employ governance processes within their annual operating plan. These processes address how to manage project demands, initiate projects, perform technical reviews, procure products and manage vendors, and control financial investments.
