a thorogood special briefing it governance

8/20/2019 A Thorogood Special Briefing IT Governance

1/114

IT GOVERNANCEManaging Information Technology

for Business

David Norfolk

A Thorogood Special Briefing

2nd edition


2/114

Inside front cover


3/114

IT GOVERNANCEManaging Information Technology

for Business

David Norfolk


2nd Edition


4/114

Thorogood Publishing Ltd

10-12 Rivington Street

London EC2A 3DU

t : 020 7749 4748f : 020 7729 6110

e: [email protected]

w : www.thorogoodpublishing.co.uk

© David Norfolk 2011

All rights reserved. No part of this

publication may be reproduced,

stored in a retrieval system or

transmitted in any form or by any

means, electronic, photocopying,

recording or otherwise, without the

prior permission of the publisher.

This Special Briefing is sold subject

to the condition that it shall not, by

way of trade or otherwise, be lent,

re-sold, hired out or otherwise

circulated without the publisher’s

prior consent in any form of binding or cover other than in

which it is published and without a

similar condition including this

condition being imposed upon the

subsequent purchaser.

No responsibility for loss occasioned

to any person acting or refraining

from action as a result of any

material in this publication can be

accepted by the author or publisher.

A CIP catalogue record for this

Special Briefing is available from the

British Library.

ISBN: 1-854187-45-7

978-185418745-1

Printed in Great Britain

by Marston Digital

Other Titles from

Thorogood Publishing

IT Contracts: Effective Negotiating

and Drafting

Rachel Burnett

Managing In-house Legal Services

Mark Prebble

Retention of Title

Susan Singleton

Strategy Implementation Through

Project Management

Tony Grundy

Legal Protection of Databases

Simon Chalton

Software Contract Agreements

Robert Bond

Implementing E-procurement

Eric Evans and Maureen Reason

Email – Legal Issues

Susan Singleton

Special discounts for bulk quantities

of Thorogood books are available to

corporations, institutions, associations and

other organisations. For more information

contact Thorogood by telephone on

020 7749 4748, by fax on 020 7729 6110, or

email us: [email protected]


5/114

The author

David Norfolk BSc, MBCS, CITP, CEng, LRPS, joined Bloor Research as a Senior

Analyst for Development in 2007 and is now Practice Leader for Development

and Governance.

He has published research papers on Compuware Uniface, data integration, the

Artisan Studio software engineering tool, Capability and Maturity, Enterprise

Architecture and so on; and has spoken at many events (e.g. for the Intel software

community).

David is co-author, with Shirley Lacy, of a practitioner-focussed book on

Configuration Management, Configuration Management: Expert Guidance for

IT Service Managers and Practitioners, published by the BCS.

He first got interested in computers and programming quality in the 1970s,

working in the Research School of Chemistry at the Australian National University.

There he discovered that computers could deliver misleading answers, even when

programmed by very clever people, and was taught to program in FORTRAN.

He then worked in DBA and Operations Research for the Australian Public Service

in Canberra. Returning to the UK in 1982, David worked for Bank of Americaand Swiss Bank Corporation, where he occupied positions in DBA, Systems

Development Method and Standards, Internal Control, Network Management,

Technology Risk and even Desktop Support. He was instrumental in introducing

a formal Systems Development Process for the Bank of America Global Banking

product in Croydon.

In 1992, David became disillusioned with the way people issues were being

handled in City IT and decided to start a new career as a professional writer

and analyst. Since then he has written for many of the major computer magazines

and various specialist titles around the world. He helped plan, document and

photograph the CMMI Made Practical conference at the IoD, London, in 2005

and has written many industry white papers and research reports.

He is past co-editor (and co-owner) of Application Development Advisor ; is

currently Executive Editor for Croner’s “IT Policies and Procedures” product;

and was Associate Editor for the launch of Register Developer .

David has an honours degree in Chemistry and is a Chartered IT Professional,

has a somewhat rusty NetWare 5 CNE certification and is a full Member of the

A THOR OGO OD SPEC IAL BRI EFING iii

THE AUTHOR


6/114

British Computer Society (he is on the committee of the Configuration

Management Specialist Group). He has his own company, David Rhys Enterprises

Ltd, which he runs from his home in Chippenham, where his spare moments (if

any) are spent on semi-professional photography (he holds the Licentiate

distinction from the Royal Photographic Society (LRPS) and is working on the

Associateship), sailing and listening to music – from classical through jazz to folk.

Read David’s blog, The Norfolk Punt , at

http://www.it-analysis.com/blogs/The_Norfolk_Punt/

IT GOVERNANCE – MANAGING INFORMATION TECHNOLOGY FOR BUSINESS

iv A TH OROG OO D SPE CI AL BR IEFI NG


7/114

A THOR OGO OD SPEC IAL BRI EFING v

Contents

MANAGEMENT OVERVIEW: DRIVERS FOR

IT GOVERNANCE VII

Management issues in IT governance....................................................viii

Definition of IT governance.....................................................................viii

1 CONTEXT: CORPORATE GOVERNANCE 1

2 EXTERNAL PRESSURES: WHAT REGULATIONS? 7

The response to apparent governance failures......................................10

Legislation affecting IT governance ........................................................13

General legislation with IT governance implications............................21

3 ORGANISATIONAL IMPACT 25Culture ........................................................................................................26

Organisational maturity............................................................................27

Roles and responsibilities .........................................................................32

Practical experience of governance ........................................................34

4 THE IMPACT ON IT 39

Enterprise Architecture ............................................................................41IT Governance Standards.........................................................................42

IT service management .............................................................................44

Lifecycle systems development process..................................................51

Management reporting: Telling a true story ..........................................57

Practical IT governance tools ...................................................................59

CONTENTS


8/114

A TH OROG OO D SPE CI AL BR IEFI NG vi


5 IMPLEMENTING IT GOVERNANCE 65

Obtain management sponsorship............................................................67

IT governance methodology overview....................................................68

6 CONCLUSIONS 77

APPENDIX 81

Resources....................................................................................................82


9/114

Management overview:

Drivers for IT governance

Corporate scandals such as Enron and perceived issues such as storage of illegal

pornography on company servers, money laundering and terrorism have led to

a change in the way law is applied to ‘limited companies’. Increasingly, the buck

stops with the directors (including non-executive directors) of a company – who

are held personally responsible for the actions of their companies and, in some

cases, face huge fines and possible imprisonment. There is no doubt that this

has increased Board-level interest in IT governance, as corporate fraud, use of

corporate resources for illegal purposes, sexual and racial harassment increasingly

occur in the digital domain. The latest legislation means that a director who turns

a blind eye towards what is going on in his or her computers and to what may

be stored on company servers will probably find that ‘ignorance is no excuse’.

However, although this has been an immediate driver, a moment’s reflection will

assure us that IT governance is a very positive thing for a company. Increasingly,

computers are mission critical; increasingly a company couldn’t function without

its computers and much of the worth of a company resides in ‘digital IP’: intellectual

property in digital form. This includes not only digital documents but also company knowledge embodied in the algorithms implemented in computer programs and

the models and ‘repositories’ that are used to analyze and validate business

processes as part of software engineering generally.

If you are not in control of your IT resource, you are not in control of your company.

In the same way that your annual report is audited to ensure that it tells a ‘true

story’ about your financial position, your computer systems must be audited to

show that they tell a ‘true story’ in the management reports they provide, in the

databases they update and in the reports they send to your regulators.

Ultimately, you need to be a mature organisation with a measurement culture

– ‘you can’t control what you can’t measure’. You must have well-defined

organisational goals, measure your progress towards these goals and apply

corrections – feedback – if you aren’t getting closer to these goals. This is

commonly accepted in business but a, largely unconscious, exception has

commonly been made in favour of the IT group. How do many organisations

truly measure the ROI (return on investment) from IT? How many organisations

accept IT projects that are ‘late, over budget and wrong’ as the norm? How many

managers know what their IT staff actually do? How many organisations don’t

MANAGEMENT OVERVIEW: DRIVERS FOR IT GOVERNANCE

vii A THOR OGO OD SPEC IAL BRI EFING


10/114

A TH OROG OO D SPE CI AL BR IEFI NG viii


accurately know how many PCs they have and what programs run on them?

How many organisations don’t have an overall picture of exactly what is stored

on their servers?

When the directors of such companies accept responsibility for what their

organisation does and how it does it, how can they do so with any confidence

at all? Such a state of affairs cannot be allowed to continue.

Management issues in IT governance

• Providing an organisational structure that allows Board-level manage-

ment to set strategic goals and cascade these through the organisationdown to the IT technicians implementing automated systems.

• Aligning IT strategy with business strategy; perhaps, even, making

IT an integral part of the business.

• Providing an effective communications infrastructure that enables two-

way communication (feedback) between all the stakeholders in the

governance process, both internal and external.

• Providing effective low-level enforcement of business-focused govern-

ance policies in the IT sphere.

• Enabling the effective identification of IT-related risk in the context of

business service provision, and the translation of IT risk mitigation

measures into a business terminology.

• Providing metrics for the effectiveness of IT governance.

• Identifying a return on the investment in IT Governance in terms of

‘better, faster, cheaper’ business systems.

Definition of IT governance

IT Governance is that part of corporate governance in general which ensures

that automated systems contribute effectively to the business goals of an

organisation; that IT-related risk is adequately identified and managed (mitigated,

transferred or accepted); and that automated information systems (including

financial reporting and audit systems) provide a ‘true picture’ of the operation

of the business.


11/114

References

References in square brackets, e.g. [8th DirCons, web], refer to entries in the

Resources appendix, at the end of this Report.

MANAGEMENT OVERVIEW: DRIVERS FOR IT GOVERNANCE

ix A THOR OGO OD SPEC IAL BRI EFING


12/114


13/114

Chapter 1

Context: Corporate governance



14/114

Chapter 1

Context: Corporate governance

“Modern capitalism – the model to which virtually

the whole world now aspires – is totally dependent

on high standards of governance.”

GEORGE COX, ERSTWHILE DIRECTOR GENERAL OF THE INSTITUTE OF DIRECTORS

According to George Cox when he was Director General of the Institute of

Directors, in the Introduction to the director’s guide to ‘corporate governance’

[IOD, 2004], “Modern capitalism – the model to which virtually the whole world

now aspires – is totally dependent on high standards of governance”.

What he means by ‘governance’ is the overall and rigorous supervision of

company management so that business is done competently, with integrity and

with due regard for the interests of all stakeholders. And this is important, not

for altruistic reasons but because investors wouldn’t buy shares in a company

(or, rather, they’d insist in a considerable discount) if it wasn’t run that way. As

Alastair Sim, Director of Strategy and Marketing at SAS, points out in his Forward

to the same work [op. cit.], staying competitive involves maintaining investor

confidence. The best way to do this is to ensure the transparency of a company’s

operations to investors and other stakeholders, by supplying them with

appropriate and trustworthy information (with due regard to business

confidentiality) and this is one of the main concerns of corporate governance,

along with the need to comply with applicable laws and regulations.

In the UK, the law is defined by statute; statutory instruments, which implement

Acts of Parliament and can materially affect the impact of a statute; and is furtherdeveloped in the courts by precedent – so determining exactly what the law says

is not always straightforward and taking expert advice is often a good idea. We

then follow a ‘comply or explain’ approach to governance. What this means is

that, for example, companies with a full London Stock Exchange listing have

to state that they comply with, for instance, the Combined Code (the consolidated

governance rules promulgated in June 1998) but can report exceptions in certain

areas, where they must explain the reasons for their departure from the rules.


2 A TH OROG OO D SPE CI AL BR IEFI NG


15/114

The Combined Code [Combined Code, web] places great emphasis on the need

to manage risk, which is largely what the financial reports made available to

the various stakeholders are used for. As Peyman Mestchian, (Director, risk

management practice, SAS UK) puts it “the sensible company takes risks – but

not gambles”. You must take a holistic and objective view of risk – there is more

to worry about than just financial risk. Reputation risk, for example, is frequently

overlooked – until loss of reputation starts to affect the financial bottom-line,

when it is often too late to mitigate it (a reputation that took years to build can

be lost in months). The Turnbull Report guidelines to governance for companies

quoted on the UK stock exchange talk about the risk associated with market,

credit, liquidity, technological, legal, health and safety, environmental, reputation

and business probity issues, as well as financial risk. However, some risk is good

– you can’t avoid risk without forgoing the business opportunities associatedwith new kinds of customers, new technologies and new products. In fact, risk

avoidance is in itself risky as it limits your opportunities for profit, and doing

nothing is frequently the worst possible response to an emerging issue. What

is important is that commensurate rewards are associated with the risks that

you take, which implies that you have access to reliable information that lets

you forecast the rewards and assess the risks with confidence.

Corporate governance ultimately depends on the good functioning of the Board

of Directors – and, increasingly, non-executive directors are asked to take

responsibility for deviations from good governance. Quoting Kerrie Waring,

international professional development manager at the IOD [op. cit.], “A well

functioning Board is key to the performance of companies and their capacity

to attract capital. A well-established corporate governance framework should

ensure that Boards monitor managerial performance effectively to achieve an

equitable return for shareholders and uphold the values of fairness, transparency,

accountability and honesty.”

You could say that the prime objective of IT governance is to help rather than

hinder the Board in its governance efforts, as part of a dynamic partnership

between business and technology. (Technologists enable business; business

rewards technologists.) In many organisations, the IT function is seen as a bit

of a loose cannon, subject to different standards, responsibilities and controls

to the rest of the organisation; and, in the long term, this isn’t going to be good

for the careers of those employed by the IT function.

Corporate governance is often talked about in the context of publicly quoted

companies, because the shareholders in such companies form a wide and visible

set of stakeholders, and because stock markets underlie most economies these

1 CONTEXT: CORPORATE GOVERNANCE

3 A THOR OGO OD SPEC IAL BRI EFING


16/114

days. However, similar considerations also apply to private companies, of course,

since although the stakeholders are different and the legal issues perhaps rather

simpler, the owners of the company still need access to reliable information as

to its operation.

Regulations in the USA, say, are generally more draconian these days – although

even Sarbanes-Oxley seems to be less prescriptive and more in the European

style than previous US regulations. This is actually an improvement, as it is harder

to merely comply with the ‘letter of the law’ if you can be assessed both on what

you consider to be appropriate internal controls and also on the effectiveness

of your implementation of these controls.

International corporate governance rules are also changing, but rules worldwide

seem to be generally moving in the same direction. Eventually, it is hoped thatthe mission statement of the International Accounting Standards Board (IASB)

will come to fruition and we will have ‘a single set of high quality, understandable

and enforceable global accounting standards that require transparent and

comparable information in general purpose financial statements’.

Which brings us to Information Technology (IT), since large amounts of

information are seldom stored, processed and retrieved manually these days. Your

financial reporting is only as good as the quality of the data reported. You must

be able to audit the lifecycle of this data from collection through to destruction:

you must be able to show where it comes from, who has access to it and that

any changes are properly authorised. IT can facilitate this: there is an issue with

the transparency of IT (few businessmen are completely comfortable with code

analysis) but business policies can be rigorously enforced in unambiguous

computer code and any risk of manual error mitigated. Well, up to a point –

‘garbage in = garbage out’ applies and IT systems only do what they are told to

do. This is, of course, a governance issue: the policies embodied in the automated

systems must be aligned with corporate policy, the instructions input to the IT

systems must be the right instructions, and the accuracy of the translation of these

instructions into code must be tested.

IT is also increasingly a major source of risk in companies:

• IT facilitates worldwide access to internal systems, increasing the

opportunity for fraud and data theft.

• The scope of impact of IT systems failure can be company-wide.

• IT projects are frequently an enabler for new business; in fact, IT systems

are increasingly central to the operation of many companies.




17/114

• Despite the importance of IT, according to the Standish Group Chaos

Reports [Standish, web], over 80% of IT projects come in late, over

budget or wrong (and frequently all three) – over a quarter are cancelled

before they are fully implemented.

The Board needs to recognise the risk factors affecting IT projects: very large

projects, visible projects, projects crossing geographical or departmental

boundaries, projects using new technology projects particularly dear to the

Board’s heart are all particularly risky.

IT development failures or operational failures are equally matters of corporate

governance. When Nick Leeson brought down Barings, there was a real failure

of banking governance – essentially, it simply isn’t good practice to allow traders

to make their own settlements. However, you can equally see this as partly an

IT governance issue:

• The technology is available to enforce governance policies including

separation of function.

• Positions and limits can be reported transparently to management.

• The calculation of settlements can be removed from the possibility of

human error.

What technology can’t do, of course, is to inculcate common sense in the Board

or counteract complacency or greed. Even so, increasingly, IT is being made

accountable for technology-driven business outcomes and a technical failure

that is allowed to affect the operation or reputation of a company is being seen

as a failure of corporate governance – as, of course, it is.

The next chapter looks at the legal framework underlying governance generally

in the context of IT governance specifically.

1 CONTEXT: CORPORATE GOVERNANCE



18/114


19/114

Chapter 2

External pressures:

What regulations?

The response to apparent governance failures

Legislation affecting IT governance

General legislation with IT governance implications



20/114

Chapter 2

External pressures:

What regulations?

“I think the reason that we are seeing an increase in ITIL®

[say] over the last 9 months is due to Sarbanes-Oxley. They

have to look at it, it’s not a question of should we/shouldn’t

we, they do have to look at the process issues.”

THOMAS MENDEL, PRINCIPLE ANALYST, FORRESTER RESEARCH.

It is a mistake to see IT Governance as purely a response to external regulatory

pressures, as this engenders a fundamentally unsound attitude: governance

becomes seen purely as a cost, a cost of doing business, over which you have

no control.

In fact, IT governance should be seen as a way in which the Board can ensure

that IT resources are deployed and managed cost-effectively, in the pursuit of

business strategy. The ultimate aim of IT governance is better, faster, cheaper

business; that is, the assurance of business outcomes.

Nevertheless, one aspect of this is the transparency that ensures that all the

stakeholders in a business can satisfy themselves that the business is being carried

out honestly and ethically, in the interests of the business (and community) as

a whole, instead of the dysfunctional interests of particular parties. In the extreme,

IT Governance is about mitigating the risk of internal IT-assisted fraud,

probably a far greater potential disaster to a company than the high profile risk

of external hacking. The positive benefit from this transparency is that you can

demonstrate the probity and reliability of your company to third parties: business

partnerships will be easier to arrange (thus enabling greater automation of inter-

business processes or ‘straight through processing’) and raising investment capital

(from shareholders) should be easier.

Unfortunately, it must be apparent that corporate governance in general has

had a bumpy ride at the end of the last century and the beginning of this one.

The Bank of Credit and Commerce International survived conventional auditing

for years, despite being run as a criminal enterprise (a fact apparently known




21/114

to many inside the banking industry, where it was sometimes referred to as the

Bank of Crooks and Conmen International). It became apparent that many people

held more non-executive directorships than they could manage if they were really

overseeing the governance of the companies they held them with, and were

treating them simply as a rewarding perk; and then Enron threatened to make

the idea of corporate governance a joke.

Since a lack of confidence in the operational probity of commercial organisations

threatens the very fabric of international commerce, governments rapidly began

to investigate the issue of what proper internal control should be – and then to

tighten up regulatory legislation. This generally addressed corporate governance

in the widest sense but, unavoidably, had implications for IT governance

specifically.

Fortunately, most new legislation is no longer purely prescriptive (that is, it doesn’t

just specify a list of more-or-less arbitrary rules) but attempts to engender ‘good

practice’ and foster ‘organisational maturity’. A company that satisfies the spirit

of Sarbanes-Oxley, for example, will be a better-managed company, able to

measure the effectiveness with which it aligns IT objectives to business

objectives, able to demonstrate the effectiveness and honesty of its financial

reporting – and able to operate more cost-effectively as a result.

Even so, there is a lot of new legislation surrounding financial reporting and

internal control generally, which the IT group must be aware of. It is always going

to be more effective in the context of an evolving business and rapidly changing

technology if IT governance is built into automated systems from the start. This

means adopting a lifecycle development and maintenance process, which treats

regulatory requirements as equal in importance to the other business

requirements and implies that automated systems are tested against scenarios

derived from applicable legislation. In general, the IT group can expect business

stakeholders in an automated system to tell it what the regulatory requirements

are, but the IT analysts must question what they are told and ensure that automated

systems can satisfy ‘non functional’ requirements for effective audit trails, accesscontrols and systems resilience, which originate in governance-promoting

legislation. In turn, this means that they must be aware of what legislation exists

and what sort of controls it mandates, at least so they can have sensible

conversations with business managers as to what is needed.

2 EXTERNAL PRESSURES: WHAT REGULATIONS?



22/114

The response to apparent governance failures

There are several commissions/committees etc. that have reported on corporate

governance and which provide a background to IT governance. Broadly speaking,these seem to have had wide influence, so that the Cadbury Report in the UK, for

example, may well influence US legislators formulating US legislation.

Committee of Sponsoring Organisations of the Treadway

Commission (COSO)

As long ago as 1985, The National Commission on Fraudulent Financial

Reporting (the Treadway Commission) was set up under joint sponsorship by

the American Institute of Certified Public Accountants (AICPA), American

Accounting Association (AAA), Financial Executives International (FEI),

Institute of Internal Auditors (IIA) and Institute of Management Accountants

(IMA, formerly the National Association of Accountants) to address the issue

of fraudulent financial reporting. It resulted in the setting up of a task force under

the auspices of the Committee of Sponsoring Organisations of the Treadway

Commission (COSO) [COSO, web], which developed a set of practical, broadly

accepted criteria for establishing internal control and then evaluating its

effectiveness. In 1992, this issued the Internal Control-Integrated Framework,

commonly called the COSO framework, which has in turn influenced other

initiatives, such as COBIT (Control Objectives for Information and related

Technology) from the IT Governance Institute. COSO was developed in the USA

but has influenced thinking on internal control and governance worldwide.

COSO describes an internal control process, run by the Board with the co-opera-

tion of an organisation’s management, which addresses the need for:

• effective and efficient operational processes;

• reliable and truthful financial reporting processes; and

• compliance with all applicable laws and regulations.

Report of the Committee on the Financial Aspects of Corporate

Governance (Cadbury Report, 1992)

This began the process of formalising corporate governance in the UK and

included a code of best practice. It was extended to cover, for example, corporate

pay by the Greenbury Committee.




23/114

Combined Code on Corporate Governance (UK)

In 1995 a review of corporate governance in the UK started under the

chairmanship of Sir Ronald Hampel, culminating in the Final Report: Committee

on corporate governance, issued in Jan 1998. In June 1998, this resulted in the

Combined Code [CC, web], which has more or less regulated corporate

governance in the UK since, although it has been developed further (see The

Higgs Review, below).

Organisation for Economic Co-operation and Development

(OECD), Principles of Corporate Governance

These were first published in 1999 and updated following a consultation process

started in 2004, with representatives from, for example, business, trade unions

and governments. The principles assert such things as the right of investors to

nominate and elect company directors, question companies on their compensation

policy and to ask questions of the auditors. The OECD also expects Boards to

protect whistle-blowers by allowing them confidential access to someone on

the Board. The review process for the OECD Principles of corporate governance

is described at [OECD, web].

Bank for International Settlements (BIS), Enhancing Corporate

Governance in Banking Organisations

The Bank for International Settlements (BIS) is an international organisation that

fosters international monetary and financial cooperation and serves as a bank

for central banks. The head office is in Basel, Switzerland and it has representative

offices in the Hong Kong Special Administrative Region of the People’s

Republic of China and in Mexico City. It was established in 1930 and is the world’s

oldest international financial organisation. The BIS report, Enhancing corporate

governance in Banking Organisations (1999) [BIS, web], is a useful summary

of the principles of corporate governance in 1999, referencing the Basel

Committee etc. The BIS site is generally a useful source of information on banking

governance.

Internal Control: Guidance for Directors on the

Combined Code (Turnbull Report)

The Turnbull Report was issued in 1999 and adopting its recommendations

[Turnbull, Web] is mandatory for companies quoted on the UK Stock Exchange,

but the recommendations are far from prescriptive, although companies will




24/114

find them sufficiently challenging. They call for Audit Committees to adopt a

broader role in corporate governance and reiterate that the Board should maintain

an effective internal control regime. This implies accuracy and transparency in

the IT reporting systems that must be a foundation of any such effort.

The Financial Reporting Council reviewed Turnbull in July 2004, which affects

accounting periods starting on or after 2006. This review found that the Turnbull

guidance still generally achieves its intended effect, in the light of UK and

international experience since 1999 although there are questions as to how far

it has succeeded in promoting the actual embedding of governance in business

processes. The Turnbull Review Group made only a small number of changes

to the Turnbull Guidance, one being that the board’s statement on internal control

should confirm that necessary actions have been, or are being, taken to remedy

any significant failings or weaknesses in internal control. Turnbull at present is

concerned with the spirit of corporate governance and isn’t very prescriptive;

it remains to be seen whether it becomes more prescriptive over time, along

the lines of Sarbanes-Oxley (which is more prescriptive and longer than Turnbull,

although less purely prescriptive than is usual with US regulations). The UK

Auditing Practices Board revises its bulletins on The Combined Code on corporate

governance: Requirements of Auditors under the Listing Rules of the Financial

Services Authority [APB, web] in the light of any changes to Turnbull; Bulletin

2004/3 was replaced with Bulletin 2006/5 in September 2006, and part of this is

superseded by Bulletin 2009.4, Developments in Corporate Governance

Affecting the Responsibilities of Auditors of UK Companies, issued in December

2009 (see the list of Bulletins at [APB, web], for example).

IT Governance Institute, Control Objectives for

Information and Related Technology

The Control Objectives for Information and related Technology (COBIT) is an

important framework developed by the IT Governance Institute in the context

of COSO and is built on the premise that the role of IT is to deliver the informationthat an organisation needs in order to meet its objectives. IT Governance is then

the process that ensures that it satisfies this role adequately. A useful introduction

and overview of COBIT is contained in the Board Briefing on IT Governance,

from the IT Governance Institute [BoardBrief, web].

The Higgs review

Derek Higgs was commissioned by the DTI to review the role and effectiveness

of non-executive directors in the implementation of good corporate governance.




25/114

He reported in 2003 with a set of suggested changes to the Combined Code,

which was republished accordingly in that year.

The Combined Code is now under the auspices of the Financial Reporting Council(FRC) and further changes can be expected as and when needed to ensure that

it remains relevant in the face of changing business conditions and technologies.

Legislation affecting IT governance

Legislation affects IT governance and it is important to actually read the legislation,

as well as any guidance notes or press releases. Many vendors seek to generate

sales from high profile legislation, and only by referring to the legislation itself will you discover that there may be, for example, exceptions for smaller companies

or wider issues that make a vendor’s ‘silver bullet’ solution unlikely to be effective.

For example, ‘SOX kits’ are available which promise to deliver Sarbanes-Oxley

compliance – but in the absence of an active and well-understood process

framework it is unlikely that these will deliver more than compliance with the

‘letter’ of the law on the day that they are delivered. Since directors are supposed

to revisit internal controls whenever anything which might affect them changes,

it is likely that any ‘silver bullet’ will prove to be expensive in the longer term,

may well prove not to deliver the compliance with the spirit of the law that

regulators expect – and won’t deliver the organisational benefits possible from

a holistic approach.

Of course if you put in place the frameworks, processes and organisational

maturity necessary to comply with the spirit of Sarbanes-Oxley, say, you may

find a ‘silver bullet’ technology that meets your needs – but it is then hardly just

a silver bullet.

The main act affecting companies in the United Kingdom is the Companies Act

2006. This is the longest Act of Parliament ever enacted in the United Kingdom

(305,397 words) and it is supported by numerous regulations having the force

of law. In effect, it establishes an equivalent to the US Sarbanes-Oxley Act (see

below) in the UK. It is less prescriptive and detailed than SOX (UK companies

(unless registered on the US stock exchange or subsidiaries of US companies

etc) should concern themselves with the Companies Act before getting paranoid

about SOX), although the devil is in the detail of how the regulators and law courts

interpret the Act. The Companies Act 2006 affects (or is capable of affecting) IT

governance in many ways, but the following should perhaps be particularly noted:




26/114

Statutory registers

Each company is required to maintain and update as necessary a register of

members and certain other statutory registers.

Accounting records

A company must keep adequate accounting records sufficient to show and explain

the company’s transactions, to disclose with reasonable adequacy the financial

position of the company at any time and to enable the directors to prepare accounts

in accordance with the Act (s. 386).

Statutory accounts

Directors are required to use the accounting records to produce statutory accounts

that fulfil the legal requirements, and to prepare a directors’ report (and in some

cases other reports) that give prescribed information. These must be signed to

indicate that the directors accept responsibility. If an audit is compulsory or if

an audit has been commissioned even though it is not compulsory, the accounts

are then audited and the auditor will sign the audit report. In all cases, signed

accounts must be sent to every company member and to Companies House.

Obviously, IT systems must provide accurate information for these purposes.

Auditors’ rights

Auditors have a right of access at all times to the books, accounts and vouchers

of the company. They also have the right to require from directors, other officers,

employees and certain other persons such information and explanation as they

think necessary for the performance of their duties. Any person who, in making

any statement (orally or in writing) that purports to convey information or

explanations to the auditors in the course of their audit, knowingly or recklessly

makes such a statement that is misleading, false or deceptive in a material particular,

commits an offence punishable by a fine or imprisonment for up to two years

(or both). Failure to provide requisite information or explanations is also

punishable, unless the person concerned can prove that it was not reasonably

practicable to provide them (s. 501).

Company management, and its directors in particular, should think in advance

about the sort of information the auditors might need and ensure that systems

are designed to provide it (or can be easily modified to provide it) as and when

required. This policy then forms a ‘non-functional requirement’ for systems




27/114

development in general – which developers must be made aware of. Similarly,

the provision of robust audit trails for financial information becomes a general

non-functional requirement.

Further, the only practical way you can be sure that your policies concerning

the provision of audited financial information have actually been adopted in the

automated systems that you use, is to implement recognised ‘industry best

practice’ processes for the development of automated systems and the

operational management of the infrastructure that they run on – such as the

Dynamic Systems Development Method [DSDM, web] and the IT Infrastructure

Library [ITIL®, web] procedures. Beyond even this, a company might find that

process improvement (the ability to say what you are going to do, measure what

you actually do and apply changes to the process that reduce any gap between

aspiration and achievement) helps it to address regulatory criticisms in a cost-

effective way and to cope with changing circumstances. One recognised

process improvement regime for IT organisations is CMMI (Capability Maturity

Model Integration) from the Software Engineering Institute [CMMI, Web].

Statement in the directors’ report

The directors’ report must contain a statement from each of the company directors

at the relevant time, to the effect that there is no relevant audit information of

which the auditors are unaware (as far as the director knows), and that he orshe has taken all appropriate steps to make him or herself aware of such

information and to bring it to the attention of the auditors.

Directors’ duty to exercise reasonable care, skill and diligence

The Companies Act lists a number of directors’ general duties, including a duty

to exercise reasonable care, skill and diligence. The remedy for a claimed failure

in this regard is a civil action by the company against directors believed to be

at fault.

A director must exercise the degree of care, skill and diligence that would be

exercised by a reasonably diligent person with:

• the general knowledge, skill and experience that may reasonably be

expected of a person carrying out the same functions as the director

in relation to the company and

• the general knowledge, skill and experience that the director actually

has.




28/114

The director must meet the higher of the two requirements and it is interesting

to note that this duty follows the duty set out in Section 214 of the Insolvency

Act 1986.

As a practical example, it means that a non-executive director who is a well-

qualified and experienced solicitor must bring the care, skill and diligence expected

of such a person to a very small private company that operates a fish and chip

shop. On the other hand an unqualified and inexperienced director of a major

public company must meet the standard expected of a director of that type in

a company of that type.

It is relatively easy to set out the required standard, but it must of course be

translated into a myriad of individual circumstances, which may not be easy in

practice. Judges have in the past (especially in the distant past) taken a very relaxed view about the standards expected, but the requirements have grown more

demanding over the years, and especially in recent years.

Directors are not expected to be experts in everything, which is an obvious

impossibility. They are expected to use common sense, give a reasonable amount

of time and effort to the company and to make suitable enquiries when necessary.

They are expected to do what may reasonably be expected of a director of that

type in a company of that type, and if they have particular skill, knowledge or

training, they are expected to use it. This means, for example, that if a director

is the Chief Technical Officer and a skilled programmer, he or she would have

some responsibility for poor IT systems that do not implement company policy

or which permit fraudulent practices.

Sarbanes-Oxley Act (USA)

Sarbanes-Oxley (SOX, [SOX, Web]) is US legislation but it is very high profile.

Mark Mitchell of Informatica has met UK companies that are not subsidiaries

of US companies or listed on US stock exchanges, that claim to have a strategy

involving Sarbanes-Oxley compliance. This is usually revisited when he pointsout the likely cost of this (although there are reasons for pre-emptive compliance:

the prospect of takeover by a US company, perhaps). Effective IT governance

is a worthwhile goal but compliance with any regulations that don’t specifically

apply to you, without a clear business reason, is very unlikely to be cost effective.

Nevertheless, SOX does affect many UK companies. In the Netegrity Security

and Compliance Survey [op. cit.], however, only 15% of respondents thought

that it was important. It seems rather unlikely that 85% of UK companies are

neither listed on the NY Stock Exchange nor NASDAQ; nor are offshoots of US




29/114

companies; nor doing significant business with US companies (in which case

they’ll need to supply the information their partner needs to satisfy SOX); nor

likely to be taken over by, nor merge with, a US company.

Generally, SOX involves implementing an internal control framework such as

COSO (see above) – and only a recognised control framework that is established

by a body or group that has followed due process procedures, including the

broad distribution of the framework for public comment, will be accepted.

The essence of SOX compliance seems to be that you build a rod for your own

back. You must develop a defensible approach to internal control for your business

(and this can be criticised), and then you devise a defensible approach to internal

control for your systems and then you must demonstrate that you are adhering

to your own rules. In other words, it’s not simply a case of adhering to the rules,there’s an effectiveness measure too (and this is more along the lines of European

regulatory practice).

The impact on IT is that it must facilitate this process, by building into its systems

and processes facilities that provide the information needed by SOX, the audit

trails needed to assure the integrity of this information, and so on. The IT Group

must also be aware of ‘Silver Bullet’ solutions: cosmetic ‘quick fixes’ for

compliance, that are a constant maintenance overhead when the business changes

[Faegre, web].

The two sections with most impact on IT are 302 and 404(a), which deal with

the internal controls that should be in place to ensure the integrity of a company’s

financial reporting and this will impact directly on the software that controls,

transmits and calculates the data used to build the company’s financial reports.

SOX SECTION 302

Since August 29, 2002, Section 302 has made CEOs and CFOs commit to the

accuracy of their company’s quarterly and annual reports. They must state:

1. That they have viewed the report.

2. That to the best of their knowledge, the report contains no untrue

statement of a material fact and does not omit any material fact that

would cause any statements to be misleading.

3. That to the best of their knowledge, the financial statements and other

financial information in the report fairly present, in all material aspects,

the company’s financial position, results of operations and cash flows.




30/114

4. That they accept responsibility for establishing and maintaining

disclosure controls and procedures, and the report contains an

evaluation of the effectiveness of these measures.

5. That any major deficiencies or material weaknesses in controls, and

any control-related fraud, have been disclosed to the audit committee

and external auditor.

6. That the report discloses significant changes affecting internal controls

that have occurred since the last report, and whether corrective actions

have been taken.

There are serious civil and criminal penalties for making untrue statements in

the areas above, so C-level executives are placing considerable trust in the integrity

of their IT systems and the people developing and supporting them. Which means

that they will start taking an interest in the IT process and that this will likely

become seen as an area C-level executives worldwide should be interested in

– even if SOX isn’t involved.

SECTION 404(A)

If Section 302 might have onerous implications for executives, Section 404 sets

out the rules in detail (and you should check the Securities Exchange Commission

(SEC) website [SECSOX, web] for the latest details and implementation dates).

In September 2003 the SEC said, “We recognise that our definition of the term

‘internal control over financial reporting’ reflected in the final rules encompasses

the subset of internal controls addressed in the COSO Report that pertains to

financial reporting objectives”.

The SEC expects to see an Internal Control report in a company’s annual report

that:

• states that company management is responsible for establishing and

maintaining adequate internal control over financial reporting for the

company;

• identifies the framework against which the effectiveness of this

internal control is assessed by management;

• assesses the actual effectiveness of a company’s internal controls in

practice; at the latest financial year-end; and

• states that the company auditor has checked out the management’s

assessment of its internal controls.




31/114

Not surprisingly, perhaps, in view of its general findings, the Netegrity Security

and Compliance Report [op. cit.] found that about a third of those that thought

SOX was important (only 15% of the total, remember) weren’t spending any

money on technology to facilitate compliance with Section 404; and a further

third were spending less than £50,000. In the light of this, it will also be no surprise

that almost 90% of them either weren’t sure that they’d manage to get their

internal controls accredited against SOX, or thought it not likely. Leaving aside

the question of penalties, is it possible that prospective partners in, investors

in, or purchasers of a business, might think a business that couldn’t satisfy SOX

Section 404 represented an increased risk over investing in, say, a more compliant

organisation? One would certainly think so.

The 8th EU Statutory Audit Directive

The EU Statutory Audit Directive (revised from the 8th Company Law directive)

is the European equivalent to Sarbanes-Oxley [8thDirCons, web] and has been

progressively implemented since 2006; the position early in 2010 (see the

Scoreboard on the transposition of the Statutory Audit Directive (2006/43/EC)

published by the EC [EUAuditDir, web]) was that the vast majority of EU member

states had incorporated the Directive in their law. In the UK, it is implemented

through the Companies Act 2006, as amended by the Statutory Auditors and

Third Country Auditors Regulations 2007 (SI 2008/3494) etc.

The UK regulators are generally interested in balancing principles and detailed

rules (presumably this reflects UK concern with the spirit rather than the letter

of company law) and the principles of subsidiarity and proportionality.

The UK ICAEW, for example, is liaising with UK Government, the European

Commission and other stakeholders on the implementation of this Directive in

the UK [see ICAEW, web]. James S Turley, Chairman and CEO, Ernst and Young,

sees this Directive as a welcome step towards global corporate governance

standards. It certainly underlines the global nature of commerce today and hence

the need for global regulation.

Basel II and the EU’s CRD

The Basel Committee on Banking Supervision issued a revised framework for

capital adequacy (credit risk management) generally known as the Basel II (or

Basel 2) accord in June 2004. This came into full effect in 2007. In July 2004, the

European Commission published a Capital Requirements Directive (CRD) to bring

Basel II into European Union (EU) law.




32/114

Basel II had a significant impact on banking processes and the IT systems that

implement and support them – largely in the area of credit risk profiling and

monitoring. The UK FSA issued a consultative paper ‘Strengthening capital

standards’ in January 2005 (consultation closed at the end of April 2005), putting

forward the options for implementing CRD in the UK.

Basel II is of great importance to banks, but probably won’t affect companies

in general very much. However, for financial institutions, Basel II has some quite

subtle implications. Especially as some financial observers think that banking

is all about the serious business of trying to evade the spirit if not the letter of

the new accord, without being ambushed by the small print. Risk management

is not particularly deterministic and the new rules may simply mean that risk

is transferred to less (or differently) regulated subsidiaries. This could certainly

result in some challenges for the IT group – a need for rapid changes to financial

systems as risk arbitrage opportunities arise and disappear. This will be an

environment not especially friendly to IT governance (higher levels of

capability/maturity may not be particularly appropriate, for example) but business

needs must rule and IT risk must still be managed (look what happened to Barings

when controls were relaxed for a new business environment and a dealer was

able to make his own settlements).

As predicted in the first edition of this report, issues with Basel II in practice

resulted in development of what is generally being called Basel III, which the

G20 is talking about finalising in 2011 and implementing in 2012.

This is undoubtedly being driven by the near collapse of the banking system in

recent years and is likely to attempt to regulate definitions of tier 1 capital (which

constitutes the most commonly cited financial strength metric for a bank) and

necessary capital buffers, allowable leverage ratios, measures to limit counterparty

credit risk and short/medium term liquidity ratios.

However, some banks are resisting more regulation as it might impede their ability

to function (although some might see that as no bad thing) and in Sept 2010, the

FT reported “German banks try to fend off Basel III” [FT, Web]. The implication

for IT organisations in the Financial Services and Banking industry is that the

regulations that their systems will have to enforce (and the degree to which they

will be enforced in practice) are by no means defined yet. This is a lesson for IT

generally: automated systems must be defined so as to support whatever

regulations are in force (this is a definite requirement to analyse even if a system’s

sponsors sometimes forget to mention this) but they must be particularly flexible –

agile – in this area as regulations are never set in stone and can move rapidly up

senior management’s agenda in response to particular crises or scandals.




33/114

General legislation with IT governance

implications

A great deal of legislation has implications for the design and implementation

of IT systems – and always remember that IT isn’t a special case. The Internet,

for example, is often thought of as unregulated, because much legislation was

formulated before the Internet came along or without any particular reference

to it. In truth, however, it is over-regulated, since existing legislation usually applies

to it anyway, whether appropriate or not. Of course, some of this legislation

would be very hard to enforce, but inappropriate legislation that is only erratically

or arbitrarily enforced is hardly a sound basis for electronic or computer-

supported commerce.

One of the objectives of corporate governance in the COSO framework is ‘compli-

ance with all applicable laws and regulations’. In the IT world, this means that

you must address, at least (the list isn’t exhaustive):

• The Freedom of Information Act (UK) [FI, web] or the equivalent in

other countries. This does only apply to government services, but it

will affect the design of information storage and retrieval systems for

such services (not only must information be retrievable but the

performance impact of this must be considered).

• Data Protection regulations; for example, the Data Protection Act (UK)[DPA, web] and legislation throughout Europe enforcing the EU Data

Protection Directive. Not only must you protect personal information,

which you can only collect and use for specified purposes, you must

destroy it securely when it is no longer needed and provide facilities

for the subjects of personal data to access and correct it. A particular

issue for many global automated systems that may start to rely on ‘Cloud

Computing’ technology, where the location of data at any particular

time is not well defined, is that you are probably in breach of EU data

protection regulations if data is stored or transmitted outside of EU

borders.

• Intellectual Property (IP) protection; for example, the UK Copyright,

Designs and Patents Act and others [CopyRight Act, web]. In many cases,

the most valuable property in a company is its IP and it is particularly

hard to manage technology IP, because a lot of it is still in people’s heads.

An important related issue these days is software licensing. Unlicensed

software may have been ‘hacked’ crudely and made unreliable, or even

insecure, although it is hard to see that this makes it much worse than




34/114

some legitimate products. However, it is illegal and the activities of

organisations such as the Business Software Alliance [BSA, web] or

FAST (the Federation Against Software Theft) [FAST, web]) makes even

unintentional use of unlicensed software unacceptably risky. In January

2004, The Federation reinforced its use of criminal proceedings to crack

down on the misuse of software under s.109 of the Copyright, Designs

and Patent Act 1988. Companies have been prosecuted even while in

the process of addressing their licensing issues, and the interruption

to business (from confiscated computers etc.) and loss of reputation,

may be a bigger problem than the fine.

• Health services and pharmaceutical regulations such as, for example,

the US Health Insurance Portability and Accountability Act of 1996

[HIPAA, web], and various pharmaceutical industry regulations

worldwide. The pharmaceutical industry is particularly highly regulated.

• Telecommunications regulations such as the Regulation of Investigatory

Powers Act (RIPA) [RIPA, web]. This impacts the interception of

electronic communications and the use of encryption technology.

• The Health and Safety at Work Act in the UK [HAS, web]. This applies

to workers in IT just as much as anywhere else. It isn’t perhaps an IT

governance issue, exactly, but it is important to remember that IT

workers are not exempt from Health and Safety issues – and some of

these (the impact of computer monitors on eyesight and Repetitive

Strain Injury (RSI) from keyboard use, for example) are particularly

related to computer use.

• The WEEE Recycling Directive [WEEE, web]. This probably won’t

impact end-users of IT much, but it may impact Operations, as most

electronic equipment must now be recycled when it is disposed of

(luckily, the vendor probably has to arrange this).

• The Disability Act, 1995 [Disability, web]. Again, like Health and Safety,

IT organisations are not exempt. In particularly, web sites must be

designed to facilitate access by the differently abled. The key standard

in this area is probably the Web Content Accessibility Guidelines 1.0

(1999; work continues on these and a Working Draft 2.0 was produced

in 2003), created by the Web Accessibility Initiative of the W3C [WCAG,

web].

• Anti-Money Laundering legislation, which (in the UK) is embodied in

several pieces of primary legislation: the Criminal Justice Act 1988




35/114

(as amended), the Drug Trafficking Act 1994 and the Terrorism Act

2000 (as amended). This largely, although not exclusively, affects banking

and financial organisations, which must make Suspicious Transaction

Reports (STRs), if money laundering is suspected, to either the law

enforcement authorities or to the relevant Money Laundering

Reporting Officer (MLRO).

Obviously, automated financial processing systems may have to recog-

nise suspicious transactions and this may impact IT systems design;

there is also a possibility that STR processing may appear to conflict

with the requirements of the Data Protection Act (since ‘tipping off’

the subject of an STR is illegal) and this may also have an impact on IT

systems design or operation [STR-DPA, web]. Anti-Money Laundering

legislation introduces its own risks too – what should a bank do if it

finds that its best and most profitable customers are probably money

launderers but it can’t really afford to lose their business?

Publications such as Gee’s IT Policies and Procedures [ITPP, 2004] attempt to

guide subscribers on the current state of such legislation and are regularly

updated, but you should always take professional advice as to the exact impli-

cations of legislation, if it affects you specifically. It is perhaps not directly a part

of ‘IT Governance’ per se but it is sometimes worth remembering that it’s a very

good idea to avoid expensive court cases wherever possible (investigate ‘alter-

native dispute resolution’) and, in particular, to avoid becoming a test case for

new regulations. It is indeed possible that regulatory compliance may be imple-

mented in the software driving the business but be very careful about this.

Ultimately, the effect of regulatory law and its associated enabling legislation

is what a court decides it is, not what seems reasonable to technically compe-

tent lay-readers of legal material. Even an expert legal opinion is not binding

on a future court.

In the next chapter we look at the impact of IT governance on the organisation

in general.




36/114


37/114

Chapter 3

Organisational impact

Culture

Organisational maturity

Roles and responsibilities

Practical experience of governance



38/114

Chapter 3

Organisational impact

Culture

Good IT governance doesn’t exist in a vacuum. However experienced your IT

staff are, and however good the practices they follow, you don’t have good IT

governance unless these practices are institutionalised as part of a formal process

that is regularly assessed and updated in the light of changes to the business

or technology.

If you just ‘do it right, because that’s how we do things’, even if you are successful,

how will you convince the auditors or regulators that you weren’t successful

purely through luck and that you will continue to do things right? Well, you’ll

have to conduct a review for them (or give them access to conduct their own

review) that lets them discover all your critical processes and determine that

they are properly controlled. This will be expensive, especially if you delegate

it to an external party – and you’ll have to do it all over again if the business,the technology or even the interested party changes. This is not an efficient use

of resources and you can hardly claim to have implemented good governance

if it is based on such an ad-hoc set of processes. Especially if you also consider

the fact that time and resource pressures applied to a process that, essentially,

repeats the same redundant evaluations repeatedly, will result in omissions and

superficial assessments.

An organisation that wants to implement good IT governance must have a

supportive culture behind this. This means a culture that institutionalises good

practice processes in pursuit of clearly defined organisational goals, and

encourages buy-in to these goals at all levels.

However, you can imagine a company that employs the best (or most expensive)

people taking the view that “what kept programmers from reaching their full

potentials were managers who tried to impose standards, expectations or

restrictions” (quoting from Larry Constantine’s description of the state of affairs

at the fictional Nanomush, in ‘Constantine on Peopleware’ [Constantine, 1995]).

Such companies are fairly common in the software industry and they usually




39/114

enforce any regulatory rules with draconian disciplinary procedures, once they

have been bought to their attention. So, if you’re caught using someone else’s

intellectual property in your IT systems, unlicensed, or you find fraudsters using

a back door into your systems put there so that programmers could fix bugs

faster, do you simply sack the person responsible for that bit of the system (if

they are still working for you) and hope that the issue goes away? Of course, it

doesn’t – the lawyers carry on seeking damages or whatever; you’ve lost the

free spirits who built your code without wasting time on documenting what they

did and the rest of your staff think you’re victimising the unfortunate sacked

programmers, who were only doing what their culture expected anyway.

In this situation, you then start worrying about what other surprises await you,

because if leaving programmers free to do their own thing has given you one

problem, you have no means of assuring yourself that others haven’t taken similar

risks. Typically, after one bad experience, you start mandating compliance with

some source of ‘best practice’, telling your programmers ‘to get it right or else’

which, since you are trying to change their culture, probably won’t go down

very well (you may lose the best of them and keep the ‘dead wood’ that can’t

easily get a job elsewhere). You’ll find that you can’t just mandate compliance

with anything outside of a military organisation – and, in fact, military

management practices are usually fairly enlightened because even under military

discipline the people at the sharp end can work around your mandates (and

also because, possibly, battlefield soldiers have the ultimate sanction available

against bad managers).

Unless you are the sort of company that sets goals before taking action, that

measures the impact of its actions relative to those goals and then changes what

it is doing to reduce the gap between its aspirations and what it actually achieves,

then attempts to achieve good IT governance are probably doomed to failure.

This culture of measurement and continuous process improvement is largely

what is meant by ‘organisational maturity’ – although in our ageist society,

companies often prefer to aspire to being ‘adaptive’ rather than ‘mature’.

Organisational maturity

As Constantine points out [op. cit.], “Maturity is a central issue for the field of

software development. Methodologists are wondering how long it will take for

software engineering to mature as a discipline, managers are concerned about

the level of ‘process maturity’ in the approaches to development used within

3 ORGANISATIONAL IMPACT



40/114

their organisations, and project leaders wonder about the maturity of the

individuals whom they are called upon to lead”. But it’s a concern in many more

fields than just software development. Firefighting system failures may be fun

and, in some organisations, you may be rewarded for the loyalty and dedication

firefighting at 03:00 am demonstrates – even if you’re responsible for the problem

you’re fighting (you probably delivered really fast and got rewarded for that too).

However, most business users would prefer you to take a more mature

approach and not put the problem there in the first place (or, at least, observe

its appearance and preemptively nip it in the bud).

This concern for ‘maturity’ is really driven by a desire for a quiet life, without

surprises and embarrassments. Allegedly, the Software Engineering Institute

at Carnegie Mellon started looking at capability and maturity in IT software

development because someone at a party to celebrate the first moon landing

noticed that we could put a man on the moon but couldn’t build software that

worked reliably. It started to develop a Capability Maturity Model for Software

that an organisation could use as a target to assess the maturity of its software

delivery processes against. It then found that there was a need for other process

maturity models and, to avoid the management issues of multiple assessments,

came up with the Capability Maturity Model Integration (or Integrated, in older

references) – CMMI.

CMMI is proving popular, both as a way of an organisation internally

benchmarking its own ability to deliver and, perhaps unfortunately, as a marketing

tool for organisations striving to distinguish themselves in a competitive

marketplace. However, you don’t have to have CMMI in order to be a mature

organisation, it’s just a good framework to work within (and you do really need

an external benchmark to manage your progress against). ‘Passing’ a CMMI

appraisal (actually, there’s no ‘pass’ in the certification sense, you just get

appraised) doesn’t guarantee good governance – it may simply show that your

lack of governance is deliberate and that your management should be aware

of this (which is, actually, a good start). However, mostly, what you measure (and

this does apply to process) you try to do well.

CMMI

We must stress that we are not really discussing formal CMMI process

improvement initiatives here – they’re a whole different topic and deserve a report

in themselves. However, we are using CMMI as a framework within which to

talk about the maturity necessary for good IT governance. It is a convenient way

to categorise the levels of maturity in an IT organisation, but we must apologise




41/114

to serious CMMI practitioners for taking a rather superficial view of the subject.

You should also remember that although CMMI deals with more than just

software development, it doesn’t cover every aspect of an organisation, even if

its levels could provide a convenient shorthand for describing maturity in areas

where CMMI proper doesn’t apply. For those seeking more information, refer

to the CMMI, web address in Resources Appendix [CMMI, web].

CMMI is commonly seen as a five-stage process, with organisations progressing

through the stages in turn, although there is also a continuous representation,

which allows an organisation to be at a different capability level in different process

areas at the same time (and CMMI experts often find this a more productive

way to look at real organisations). The staged representation is easier to follow

as a basis for discussion of maturity. The stages are:

5 The institutionalisation of continuous process improvement through

proactive process measurement.

4 The use of quantitative process metrics, at the organisational level, to

manage and improve the process.

3 The availability of managed process at an organisational level.

2 The availability of managed process, at a project level.

1 The adhoc application of process.

Level 1 doesn’t mean that you have no process or that projects always fail or

that nothing good happens – a common misconception. However, at Level 1 any

successes can’t be guaranteed – they may depend on particular people or circum-

stances and a way of working in one project that delivers success may be

abandoned or, at least, not used somewhere else, simply because management

doesn’t recognise what it has. It is hard to see how you can claim any great degree

of IT Governance at the equivalent of CMMI Level 1.

Going from Level 1 to Level 2 can be quite onerous, because it involves recognising

and documenting what you have – and that often brings you up against the usual

people issues as your IT ‘mavens’ may feel that documenting what they do and

sharing it with others diminishes their value in the organisation. At Level 2, you

are starting to have a degree of IT Governance – and, remember, that we are

only using the CMMI Levels as a framework for describing maturity levels. You

may effectively be at something corresponding to CMMI Level 2 as far as IT

Governance is concerned, even if you aren’t formally implementing a CMMI

initiative and haven’t undergone CMMI assessment (just don’t claim to be at

CMMI Level 2 unless you do undergo proper appraisal, undergo regular re-

appraisals and publish the appraisal class – A, B or C – and its scope).




42/114

CMMI Level 3 is probably as far as you absolutely need to go for IT Governance

– which is not to say that going further doesn’t bring advantages and even better

governance. However, at Level 3, you not only know what you have and know

what you are doing with it, you are managing your IT resource at an

organisational level and making basic measurements of the effectiveness of your

management, which you can use to improve it.

At what corresponds to Capability/Maturity Level 3, which includes Level 2, you

should have, at least:

• Asset management in place, including management of information,

infrastructure and application assets.

• An organisation-wide security policy, based on risk management and

effective identity management.

• Implemented a business continuity policy; complemented with service

level management; incident, service impact and problem management;

and effective capacity planning and provisioning.

• Effective configuration management in place.

• Information lifecycle management in place, ensuring that electronic

business records are kept safely for as long as necessary and then

disposed of reliably and securely.

• Managed processes for application lifecycle and operational

management.

It should be noted that CMMI is itself developing, partly to address “gaming”

of appraisals by company marketing departments (which is why the scope of

an appraisal should be available and why appraisals have a limited period of

validity). Interesting developments are new CMMI “constellations”, CMMI-SVC

for developing services rather than software and CMMI-ACQ for companies

acquiring automation rather than developing it. There is also the issue that

maturity and good process isn’t an end in itself but a means for delivering business

outcomes – and an organisation which is generally of high maturity may fail to

deliver because just one key part of the organisation is at a low maturity level

and fails to control risk.

Process-driven development and operations are fundamental to what we think

of as IT governance and will be treated in more detail in the next chapter. A

typical but vendor-independent development process is the Dynamic Systems

Development Method [DSDM, web] and a widely accepted infrastructure/

operations management process is documented in ITIL®, originally sponsored

by a UK Government computing organisation [ITIL

®

, web].




43/114

Higher levels of maturity will fundamentally alter the nature of an organisation

– the comparison is with the way that ‘lean’ engineering revolutionised the Japanese

car industry and enabled it to compete with and displace the traditional US motor

industry in world markets. However, higher levels of maturity may not suit some

organisations or, in particular, emerging industries and technologies, where things

may be changing too fast for a stable process to be feasible (although if you are

implementing CMMI properly and fully understand its concepts, we suspect that

there is room for argument here). Whatever, it is probably true that you can’t

properly appreciate the benefits, and the consequences or implications, of higher

maturity levels until you are at Level 2 or 3.

At the equivalent of Level 4, you become a metrics-focused organisation,

managing quantitatively through metrics – which doesn’t mean that you don’t

measure capability and improvement, where you can, at lower levels. You don’t

just measure what is easy to measure, you potentially measure everything, on

the grounds that you can’t manage what you can’t measure. There is an overhead

associated with this measurement activity, however, so you will concentrate, in

practice, on a few carefully-chosen “key performance metrics (which may be

derived from several low-level metrics) – and measurement automation is vital

(you really need to build the necessary instrumentation into the design of your

systems rather than try to bolt it on afterwards). As technology improves, business

analytics and optimisation technology [BloorAnalytics, Web] can build good

governance into the framework of automated business systems. With the benefit

of the metrics you collect, you can focus on areas for improvement and confirm

that your improvements are, in fact, working.

At the equivalent of Level 5, you are into continuous process improvement and

the occult powers of warrior-monks in Chinese martial arts movies start to seem

normal. Your metrics become predictive and you start to improve processes in

anticipation of emerging problems. At this level, IT Governance is so innate that

you probably don’t even need to think about it – but there aren’t many true Level

5 organisations in the world and many that have been assessed at CMMI Level

5 have only done so with a limited scope.

The point of this section is not to say that you must gain CMMI Assessment at

Level 3 in order to implement good IT governance but that you must have a certain

level of maturity across the whole organisation in order to implement IT

governance effectively. And CMMI Level 3 gives you some idea of the minimum

maturity level you will need in practice. If you implement IT governance at lower

maturity levels you will be lucky if it achieves what you hope it will. You will

likely end up with ‘islands of good governance’ and may find that embarrassing




44/114

areas aren’t covered. You will be unable to reliably measure either the

effectiveness or the overheads of your governance initiatives, and you will be

unable to manage the overall alignment of your IT Governance efforts with the

requirements of corporate governance as a whole.

Roles and responsibilities

One of the key issues in IT governance is the assignment of roles and

responsibilities. The IT optimisation company, Mercury Interactive, an industry

leader in application delivery, application management and IT governance (and

now part of HP’s Business Technology Optimisation practice), once commi

a thorogood special briefing it governance

Documents