digital transformation: information systems governance

Digital Transformation

The authors acknowledge the contribution

of Hecham Cherifi, Senior Manager at Natixis

Advances in Information Systems Set coordinated by

Camille Rosenthal-Sabroux

Volume 6

Digital Transformation

Information System Governance

Jean-Louis Leignel Thierry Ungaro

Adrien Staar

First published 2016 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:

ISTE Ltd John Wiley & Sons, Inc. 27-37 St George’s Road 111 River Street London SW19 4EU Hoboken, NJ 07030 UK USA

www.iste.co.uk www.wiley.com

© ISTE Ltd 2016 The rights of Jean-Louis Leignel, Thierry Ungaro and Adrien Staar to be identified as the authors of this work have been asserted by them in accordance with the Copyright, Designs and Patents Act 1988.

Library of Congress Control Number: 2016950828 British Library Cataloguing-in-Publication Data A CIP record for this book is available from the British Library ISBN 978-1-78630-089-8

Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

Part 1. Information Systems Governance at the Service of the Digital Transformation . . . . . . . . . . . . 1

Chapter 1. Enterprise Governance: A Framework that Includes IS Governance . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2. Challenges of Enterprise IS Governance . . . . . . 11

2.1. Value creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.2. IS risk management . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 3. Objectives, Approaches and Key Success Factors of Enterprise IS Governance . . . . . . . . . . 21

3.1. Objectives of Enterprise IS governance (EISG) . . . . . . . . . . 21 3.2. Approaches, frameworks and ongoing reflections . . . . . . . . . 23 3.3. Benefits of the approach and its key success factors . . . . . . . 27

Chapter 4. How Can the Maturity of Enterprise IS Governance be Improved? . . . . . . . . . . . . . . 29

4.1. Scope of EISG and assessment of the company’s global maturity level . . . . . . . . . . . . . . . . . . . 29

vi Digital Transformation

4.2. How can it be properly initiated? . . . . . . . . . . . . . . . . . . . 33 4.3. What can be done once the diagnostics have been made? . . . . . 34 4.4. How can the improvement process be initiated? . . . . . . . . . . 35

Part 2. Evaluation of the Maturity of Enterprise Information Systems Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Chapter 5. Maturity Evaluation Criteria for Each of the 11 Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

5.1. Vector 1: IS planning and integration into the overall company’s planning process . . . . . . . . . . . . . . . . . . 40

5.1.1. Issues of this vector in the digital transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 5.1.2. Issues of the vector in terms of contribution to the IS gonernance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 5.1.3. Best practices associated with the vector and measurement of the company’s maturity level in the vector . . . . . . . . . . . . . . . . . . . . . . . . 41

5.2. Vector 2: IS urbanization at the service of strategic challenges in the frame of the Enterprise Architecture . . . . . . . . . . . . . . . . . . . . . . . . 44

5.2.1. Issues of this vector in the digital transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.2.2. Issues of the vector in terms of contribution to the IS governance . . . . . . . . . . . . . . . . . . . . 44 5.2.3. Best practices associated with the vector and measurement of the company’s level maturity in the vector . . . . . . . . . . . . . . . . . . . . . . . . 46

5.3. Vector 3: Portfolio management of value creation-oriented projects . . . . . . . . . . . . . . . . . . . . . . . 49

5.3.1. Issues of this vector in the digital transformation . . . . . . . 49 5.3.2. Issues of the vector in terms of contribution to the IS governance . . . . . . . . . . . . . . . . . . . . 50 5.3.3. Best practices associated with the vector and measurement of the company’s maturity level in the vector . . . . . . . . . . . . . . . . . . . . . . . . 52

5.4. Vector 4: alignment of the IT organization with respect to business processes . . . . . . . . . . . . . . . . . . . . . 57

5.4.1. Issues of this vector in the digital transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Contents vii

5.4.2. Issues of the vector in terms of contribution to IS governance . . . . . . . . . . . . . . . . . . . . . . 57 5.4.3. Best practices associated with the vector and measurement of the company’s maturity level in the vector . . . . . . . . . . . . . . . . . . . . . . . . 60

5.5. Vector 5: IS-related budgetary management and costs control promoting transparency . . . . . . . . . . . . . . . . 64

5.5.1. Vector challenges in the digital transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 5.5.2. Issues of the vector in terms of contribution to IS governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 5.5.3. Best practices associated with the vector and measurement of the company’s maturity level in the vector . . . . . . . . . . . . . . . . . . . . . . . . 67

5.6. Vector 6: project management with respect to business objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

5.6.1. Issues of this vector in the digital transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 5.6.2. Issues of the vector in terms of contribution to the IS governance . . . . . . . . . . . . . . . . . . . . 74 5.6.3. Best practices associated with the vector and measurement of the company’s maturity level in the vector . . . . . . . . . . . . . . . . . . . . . . . . 76

5.7. Vector 7: provision of IT services optimized with respect to clients’ expectations . . . . . . . . . . . . . . . . . . . 81

5.7.1. Issues of this vector in the digital transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 5.7.2. Issues of the vector in terms of contribution to IS governance . . . . . . . . . . . . . . . . . . . . . . 81 5.7.3. Best practices associated with the vector and measurement of the company’s level of maturity in the vector . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

5.8. Vector 8: prospective management of IT skills . . . . . . . . . . 95 5.8.1. Issues of this vector in the digital transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.8.2. Issues of the vector in terms of contribution to IS governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.8.3. Best practices associated with the vector and measurement of the company’s maturity level in the vector . . . . . . . . . . . . . . . . . . . . . . . . 98

viii Digital Transformation

5.9. Vector 9: IS-related risk management adapted to business challenges . . . . . . . . . . . . . . . . . . . . . . . 101

5.9.1. Issues of this vector in the digital transformation . . . . . . . 101 5.9.2. Issues of the vector in terms of contribution to IS Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 5.9.3. Best practices associated with the vector and measurement of the company’s maturity level in the vector . . . . . . . . . . . . . . . . . . . . . . . . 103

5.10. Vector 10: management and measurement of IS performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

5.10.1. Issues of this vector in the digital transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 5.10.2. Issues of the vector in terms of contribution to IS governance . . . . . . . . . . . . . . . . . . . . . . 108 5.10.3. Best practices associated with the vector and measurement of the company’s maturity level in the vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

5.11. Vector 11: IS-related communication management . . . . . . . 112 5.11.1. Issues of this vector in the digital transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 5.11.2. Issues of the vector in terms of contribution to IS governance . . . . . . . . . . . . . . . . . . . . . . 112 5.11.3. Best practices associated with the vector and measurement of the company’s maturity level in the vector . . . . . . . . . . . . . . . . . . . . . . . . 113

Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Appendix 1: IT Scorecard . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Appendix 2: Economic Steering of IT Department. . . . . . . . . 123

Appendix 3: Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Foreword

When the authors of this book asked me to write the foreword of their work on the digital enterprise, I immediately thought that it was one more document on a fashionable topic in the technology and the business world of the 21st Century often addressed by consulting firms, some of which have aspired to become experts on the subject. However, a more careful observation reveals that an issue more important than the sole subject of the digital enterprise is: “Is your company fully operational?”, because this is the real topic. In order to create or manage a business that is “up to date” concerning the integration of the most advanced technologies, it is important to ensure commercial development, management efficiency and profitability in order to deal with competitors in a given market. However, whether it is digital or not, the computerized enterprise will not satisfy the most efficient objectives if, when implementing the technology, it does not integrate the concepts and the standards underlying the scalability and the good functioning of its information technology (IT) systems. This is precisely the purpose of this book, which has the merit of concentrating a very limited number of pages on addressing this kind of issue, highlighting and providing what is necessary to ensure that computers and technology are no longer considered as a concern, as a necessary evil, but as the indispensable tool for the success of a company and the development of its business.

x Digital Transformation

I have benefited during my career in IT from serving large groups, some of which were English speaking and others which were French. I was struck to see the extent to which an American or a British group consider technology not as the necessary evil that I mentioned above, but as an unavoidable requirement to develop the business and conquer market shares, so as to always be more profitable. For them, technology is an indispensable factor for increased profits; they position it at the same level as marketing, as the commercial network, as financial management or that of risks. For one of the leading banks in the world, the organizational motto was the “five I”: Investment banking, Individual banking, Institutional banking, Insurance and Information technology. The IT professionals were very proud and extremely motivated to earn this recognition of our profession. I have not felt the same in the French groups which I have been part of, IT was often a political lever in a large cooperative group, or was often led by a number 2 or number 3 overseen by an Executive Committee whose priority was not technology because it represented too much of a financial constraint rather than a tool for capturing new customers or markets. Of course, as everywhere, there are exceptions in France and I have fortunately experienced these as well; there are also industrial companies that sell technology and therefore cannot inherently be disregarded. On the other hand, the industry has all the more inspired the tertiary sector on this subject.

This short foreword introduces one of the important themes of this book that is reflected by the involvement of the general management, in the management and development of IT in its enterprise and therefore in its governance. The essential element for the successful integration of IT in the enterprise is to basically consider that IT will not succeed and will not be a factor of profit unless all business units have appropriated it. The general management oversees the relationship between the business units and the technological declination of their projects. The Executive Committee is the main voice that contributes to technology matters: The latter inevitably appears downstream of all the projects of each department of the company. IT must be “business oriented” and “customer driven”, profitable and oriented toward the customer. It also means that if the general management wishes to develop its business with sustainability

Foreword xi

in mind and to avoid unpleasant setbacks relating to the intense development of all modes of communication including social networks and the Internet, it must be inserted in the specifications of its projects in risk management and security. This is another major theme discussed by the authors of this book.

It can be clearly seen, when we refer to the digital enterprise as fully functional, that we consider all the business aspects of the so-called enterprise. This means that the relationship between business and technology is not only a relationship of governance that will implement the management and steering committees necessary for the successful completion of the business projects, including their IT aspects. The description of the business macro-processes, their formalization from end to end and their validation and acceptance by all the actors involved is just as essential, as is the involvement of the Executive Committee, which must be the “booster”, as is the finalizing process that computerization represents. This book demonstrates exactly how to describe these macro-processes and integrate them upstream of the progress of the company’s projects. However, when we refer to the plurality of the company’s businesses, projects and the technological developments, we also refer to the “need for coherence”.

The coherence of the whole technology array of the company will be similar to the coherence of the enterprise itself, and the digital transformation will be favorably and profitably achieved, preserving together the future, productivity, scalability and responsiveness, only if this coherence is translated into an architecture. A building that is meant to last and withstand time is a securely and precisely structured building. The same happens with a company, hence the concepts and the practical proposals developed in this book, relative to enterprise architecture, IT application architecture and their associated variations. The more the architecture is considered in terms of its design as well as of its maintenance as an essential factor of the strength of the enterprise, the more the enterprise will benefit from the coherence that is essential to operate and develop in a fluid and responsive manner. The permanent and easily readable translation of this architecture will be the mapping of the IT platform that business

xii Digital Transformation

units will have to absorb, just as they will have to integrate the management of their portfolio of projects with the general management, impacting their finance management and that of the company. IT professionals will be in charge of managing the purely technological capabilities of the platform, capacities ranging from the forward-looking management of the human resources of the chief information officers (CIOs), which are also transformed with the evolution of the technologies and must be as reactive as the developers of the business are, to the capacity of the computers and other electronic devices, implementing the validated and tested outcomes at the end of the projects.

As can be seen, responsiveness is a success factor, therefore there is a need for speed that is favored by the coherence of the enterprise, of its organization and of its IT systems: This is specifically reflected in this work through analyzing the need for a business or organization to be able to develop and manage short cycles. This is the fluency produced by an open and controlled architecture, maintained and shared, which will allow the proposal and the management of short cycles from decision making to the validation of the results obtained.

Finally, and this is somehow trivially said, the icing on this cake, but an icing that can be separated thereof: the authors did not miss the opportunity to draw the attention of the readers to the real need for communication surrounding the projects and the achievements, the results concretely and financially obtained, supported by simple dashboards readable by all. We are talking about communication adapted, due to certain of its aspects, to the customers of the company. This is therefore communication of an excellent quality, which is both endogenous and exogenous, adding a finishing touch to the fluidity generated by the macro-process as well as by the architecture, governance and furthermore by the involvement that has become natural on the part of the Executive Committee.

It is no coincidence that I have started this foreword by referring to the strategic importance of the involvement of general management in governance and in the integration of information systems, and that

Foreword xiii

I finalize by mentioning it once more. This is explained by the fact that it constitutes the main reason why the precepts, methods, advices, and standards presented in this book will form the initial thrust necessary for the digital transformation of a company, and because of this we will no longer say that its involvement is lower in France than in English-speaking countries: The driving force is strategic.

Claude THOUMY

Claude THOUMY has been Vice President and Chief Information Officer of the Citibank Group; Organization and IT Director and Director of the Banque Technologique of the Caisse d’Épargne Group where he was also Director of Strategic Programs at the national level; Head of IT Operations, Head of IT Services and Support of the HSBC Group and Senior Advisor to Société Générale before retiring and becoming Senior Advisor at EI-Technologies.

Preface

In recent decades, information systems have become a major lever of evolution and transformation of enterprises. Under proper control, they can bring decisive competitive advantages, and when poorly controlled they can be seen as a burden, or even an obstacle for the development of an enterprise. As discussed in this book, governance is a decision-making process that is intended to ensure that information systems contribute effectively to the strategy of the company in a context of major changes: globalization, increasingly stringent regulations and continuous innovation in digital technology. Digital technology is atypical as such, because it can be both a vehicle for change when it challenges the competitive environment or the behavior of customers, and a response to change.

No company today escapes the digital transformation any longer

The digital transformation of enterprises does not date from yesterday. It can be dated back to the 1960s with the release of the then completely new mainframe computers. In the years that followed this innovation, large French administrations and enterprises have begun to develop programs within these environments to automate a certain number of activities, such as accounting, payroll and inventory management, with significant gains in productivity.

xvi Digital Transformation

In the 1980s, e-mail began to spread in companies and then PCs made their appearance and with them IT applications in server mode and desktops. These innovations have brought new gains in productivity, but also, and far more than in the previous period, a significant transformation in the way of working of employees.

A new milestone was met in the 1990s with the mass implementation of management software integrated in large enterprises, the emergence of CRM tools and the Business Intelligence (BI), to name but a few. However, what should be mainly retained, it is perhaps the spectacular development of the Internet. From there, the digital transformation is no longer confined to the internal operations of companies. It starts to modify, sometimes in a radical manner, the commercial approach on the part of the companies vis-à-vis their customers, but also the relations with suppliers and partners.

This trend has not slowed down its growth since the change in millennium. Since then, the pace of technological innovations involving digital technologies has been transformed into successive waves that rather appear more like a tsunami: the appearance and the distribution in record-breaking times of smartphones, including at the same time several innovations such as the ability to access the Internet in a mobile fashion and the geolocation of mobiles, big data, cloud computing and MOOCs.

Other innovations in digital technologies are already available (connected objects, 3D printing, etc.) or still at the research stage (quantum computer, etc.) and no one is yet able to exactly foresee their uses and therefore their impact on companies’ business. Today the digital transformation has transformed society as a whole, and not just companies. The significance of this phenomenon and its irreversible character fully justify referring to digital revolution. This latter, which is one of the key ingredients of the third industrial revolution popularized by Jeremy Rifkin, can be schematically structured based on a few major underlying trends, as seen from the business perspective.

The easy access to information: The Internet allows permanent and easy access anywhere (often free) to gigantic databases via tablets,

Preface xvii

laptops and smartphones. These databases provide relevant and immediate responses to the various questions that may rise. This innovation is naturally reflected on the relationship of companies with their clients in the context of e-commerce. They want to be able to choose the desired product online using relevant guides for their choices, to be able to compare prices before ordering, to know at any time at what stage is the delivery of the product, to obtain answers to questions about its use, etc. The enterprise of the digital age must therefore propose attractive new online services, adapted to the new habits, including in terms of pricing. Apart from customers, it is the interaction with the entire business ecosystem that is concerned: employees, suppliers, partners, regulators, the administration, etc. This naturally requires that the architecture of its information system1 (IS) be reconsidered and the governance be adapted to decide its developments.

The sharing of ideas through social networks: The exponential growth of social networks allows anyone to share ideas, impressions, feelings, but also purchasing intentions and opinions about products and services being consumed. As an example, we shall cite the emergence of “bloggers” on the Net who through their comments on products can become prescribers within their influence network. These new behaviors compulsorily drive companies to thoroughly review their marketing strategy. They must be present within these networks in order to be able to communicate with their customers and employees, participate to their conversations and identify business opportunities so as to implement them. This mutation must occur both internally by the implementation of a social network at the enterprise level and externally by publishing a fan page on Facebook, communicating on Twitter, etc. It must also learn how to manage its online reputation.

1 The notion of “information system” (IS) used in this work corresponds to the definition of Wikipedia, namely “all the resources (personnel, equipment, software, data and procedures) organized to collect, store, process and communicate information. The system information coordinates, through the structuring of exchanges, the activities of the organization and thus allows it to achieve its objectives”.

xviii Digital Transformation

Decentralized cooperation: The possibilities that the Internet offers to share information between the enterprise and its collaborators, customers, prescribers, partners suppliers, etc. greatly facilitate the cooperation around a common purpose, such as the development of a new product, the establishment of a commercial network, international development and the management of an IT project. This pooling of resources and expertise enables collaborative work in a multisites, multicompanies and cross-countries perspective, which as a result is creator of value for the business. Provided that it knows how to develop its operating methods to become more flexible and more open, allow for faster decision making, better share knowledge and encourage innovation. For this, it must implement collaborative projects both internally, for example at the intranet level, and externally in the context of an extranet or an open innovation process enabling it to better interact with its ecosystem. The tendency to the dematerialization of processes becomes a reality that has to be taken into account.

The massive use of data: In the age of the Internet, geo-localized mobiles and (soon) of connected objects, the data produced by these systems are increasing in an exponential manner. It is estimated that in 2015, 29,000 gigabytes of data were being produced at each second and in the future there will be even more. Considered as the black gold of the 21st Century, these data represent a huge economic deposit, provided that we have means to analyze and value them. This is the promise of big data when it transforms these data into smart data. A list of all the possible applications of big data would require a whole book on itself. One of the main applications of big data is the fine knowledge of the behavior of consumers through tracing their navigation on the Internet, the analysis of their mails, tweets and posts on Facebook, the geolocation of their mobile phone and the list is not exhaustive. It allows companies to offer products and, even better, targeted services. The health sector is another area that will experience considerable advances with big data. Therefore, the analysis of the sales of drugs allows to better predict future epidemics, the analysis of anonymous patient data is a tool supporting cancer research and connected objects will tomorrow provide better medical monitoring: blood pressure, scale, toothbrush, pill box, etc. On the other hand, this

Preface xix

massive use of individual data remains a rather sensitive topic. How is it possible to ensure a transparent collection and a benevolent analysis of individual data avoiding any intrusive use, even for surveillance purposes? This very serious subject will require codes of conduct on the part of companies, an individual vigilance and a suitable legislative framework. Under these conditions only, the data will assume their function in the ongoing digital transformation.

As it has been seen, at the beginning of the digital era, companies used information technologies as simple tools serving the purposes of their strategy and their productivity in particular. However, everything has changed in recent years. The flow of innovations has completely changed everything and deeply modified the needs and behaviors not only of consumers, and companies’ clients, but also of their partners, suppliers, regulatory authorities, etc.

If some sectors appeared relatively exempt from recent developments in digital technologies, it is certain that they will soon also be affected. As a result, big data and connected objects will transform health and agriculture sectors. 3D printing is likely to revolutionize a large number of manufacturing processes and the industries based on them.

Many companies face this situation as a constraint that requires that they constantly hastily adapt themselves behind technological developments. However, others have become perfectly aware of the opportunity that these developments represent. In fact, newcomers are very often the ones who best know how to take advantage of these innovations by imagining business models that differentiate themselves from their traditional competitors. These include all the Internet giants, such as Google, Amazon, Facebook, Twitter, Ebay, LinkedIn, Tripadvisor and the so-called sharing economy companies, such as Uber, Airbnb, Blablacar and companies that were perfectly unknown 10 or 15 years ago. Very often, their business models are based on the disintermediation from traditional businesses and their customers. They are able to capture their margins and thus weaken them.

xx Digital Transformation

To respond to these challenges, companies must define a genuine IT strategy. This strategy, driven by a technological and competitive intelligence based on digital processes, will have to reach well beyond the process automation and dematerialization projects of the information flows. Only a reflection on new products and services made possible by digital technologies will maintain pace with competitors. In parallel, the marketing strategy should also be reviewed to integrate all the possibilities of digital marketing, and the whole range of distribution channels must be analyzed to reach a maximum of clients. In the most extreme cases, a change in business model must be considered.

The implementation of this strategy is achieved, one should say classically, through projects. However, because of their restructuring effect on the functioning and the organization of companies, they often represent considerable challenges. The relatively slow expansion of digital technologies in companies compared to the dissemination to the general public indicates that the social body of enterprises is often refractory to these projects. To succeed they require, apart from mastering the innovative technologies, a coproduction between the IT department and the business units to put these technologies at the service of the enterprise’s processes, and also an enormous effort to manage change as well as a lot of pedagogy on the part of the executive management.

IS governance represents the most effective lever to successfully achieve the digital transformation in enterprises

The digital transformation can succeed only if it is supported by an “IT-oriented” corporate culture. This must be achieved in practice by a human capital prepared for this challenge. IS governance, apart from proposing a decision-making process for the IS, also creates the necessary conditions for promoting this digital culture.

Naturally, in light of these issues, it would be illusory to think that the guarantee of a successful digital transformation is embodied only by the IT department. The Executive Committee is responsible for

Preface xxi

paving the way with respect to the digital transformation and for making business units accountable on its implementation. The IT department must emerge as a strategic partner of the Executive Committee and the business departments.

However, in practice, communication difficulties are common between the Executive Committee and business units on the one hand, and the IT department on the other hand. Too often, the IS is pictured as a “black box” difficult “to manage” relatively to the “business” objectives of the enterprise. This is where IS governance makes perfect sense. It aims to create the conditions for an effective cooperation between all the stakeholders of the company with the objective of successfully achieving the digital transformation.

Objectives of the book

The present book is intended for the “Executive Management of the Enterprise” in the broad sense (Executive Committee, business departments and CIOs) and provides the drivers to collectively manage the complex strategic assets that information systems represent.

The objective of the Enterprise IS governance (EISG) is to ensure that the IS effectively contributes toward the objectives of “value creation” of the enterprise by accompanying its digital transformation. This is achieved by optimizing the use of the necessary resources, including the “economic” ones, and controlling the “risks” associated with the IS, not to mention transparency and communication necessary to open the “black box”.

On a practical level, the objective of this book is to provide an approach and concrete tools to help the Executive Committees to acknowledge and improve the level of maturity of their companies in terms of governance of the enterprise IS. In order to verify that all of the conditions necessary to the success of the digital transformation are in place, it strives to provide pragmatic answers to the following questions:

xxii Digital Transformation

– what is enterprise IS governance and how can the level of maturity of its company be measured in this field?

– how can a realistically attainable target be identified?

– what improvement drivers can be operated as a priority to achieve the target?

– how is possible to communicate and unite around a common project?

In order to meet these objectives, we have divided the book into two parts. The first part is primarily intended for the Executive Committees and business unit managers. It shows the significance of the good governance of the information system in order to succeed with the digital transformation and the way in which the IS governance should be interacting with enterprise governance. The second part is primarily intended for IT department managers. It offers a tool to evaluate the level of preparation of the enterprise by assessing its level of maturity in IS governance and, above all, to identify the most relevant and/or urgent actions that must be accordingly implemented.

The digital transformation makes it essential for the enterprise, that wants to take advantage of its opportunities and not be subjected to its threats, to open the “black box” and take full control of its IS in the context of enterprise governance. This is the main aim of this book.

Acknowledgments

A French-Swiss initiative launched in 2008 between the Association Française des Auditeurs et consultants Informatiques (AFAI) and the Office des Technologies de l’Etat de Genève (OT) being at the origin of this book, the authors wish to thank in particular:

– The AFAI, as well as other associations such as the IFACI and the CIGREF, and the members of the working groups that have contributed to the preparation of guides to best practices in governance, notably:

- Gouvernance du Système d’Information – Guide d’audit (CIGREF-IFACI-AFAI) 2011;

- Pilotage du SI par l’entreprise – les nouveaux tableaux de bord de l’IT scorecard- guide de référence (AFAI) 2011;

- Le pilotage d’une DSI (AFAI) 2006;

- La contribution du système d’information à la valeur de l'entreprise – démarche, cas concrets (AFAI) 2006;

- Alignement Des Projets Informatiques – un retour d’expérience (AFAI) 2005;

- Maîtriser les coûts informatiques – Modèle de référence (AFAI) 2004;

- Rentabilité des projets informatiques – Méthode, Outils, Cas Pratiques (AFAI) 2004;

xxiv Digital Transformation

- IT Governance: Pilotage de l’informatique pour dirigeants d'entreprise-Modèle de référence (AFAI) 2004;

- Maîtrise d’ouvrage de projet de système d’information-Principes, Rôles, Responsabilités, Facteurs de Succès (AFAI) 2003.

– The Office des Technologies de l’Etat de Genève and the University of Geneva, notably:

- Christine Aïdonidis, responsible for the IS urbanization for the canton of Geneva;

- Alain Jacot-Descombes, CIO of the University of Geneva;

- Patrick Genoud, Centre des Technologies de l’Information de l’Etat de Genève, technologies and IT strategy advisor;

- Michel Grisard, Chief Information Officer – canton of Geneva, Department of Urban Planning;

- Jean-Marie Leclerc, Director at Sword Group, former Chief Executive Officer of the Centre des Technologies de l’Information de l’Etat de Genève;

- Claude Maury, IS security organization Advisor, former President of the CLUSIS;

– Claude Thoumy, who has kindly re-read the book and prefaced it.

They also wish to thank the other reviewers as follows:

– Bertrand Maguet, founding partner of the firm MLA, Administrator of Consult’in France, Vice President of the AFAI (ISACA French chapter);

– Bernard Quinio, Vice President University Paris Ouest, responsible for life-long learning;

– Isabelle Sipma, director of digital transformation process and information systems at Orange Bank.

PART 1

Information Systems Governance at the Service of the Digital Transformation

1

Enterprise Governance: A Framework that Includes IS Governance

Enterprise governance is a decision-making process addressing, in a “balanced” way, two main components: compliance1 and value creation.

As was discussed in the preface, IT assumes a more and more important strategic role concerning the business in the context of the “digital transformation”. Therefore, it must necessarily become a “stakeholder” in all decision-making and enterprise governance processes at the highest level.

The problems, opportunities and challenges posed by the alignment of information systems to the strategy of the company, as well as a consistent management of the investments, resources and technological projects, thus become a major concern for boards of directors and executive committees in enterprises.

In the recommendations of the International Federation of accountants (IFAC), enterprise governance comprises both corporate governance and performance governance, as represented in the following figure.

1 We use the term compliance within the meaning of compliance to standards, rules and laws, etc., through risk management, internal control and CSR (Corporate Social Responsibility).

Digital Transformation: Information System Governance, First Edition.

Jean-Louis Leignel, Thierry Ungaro and Adrien Staar.

© ISTE Ltd 2016. Published by ISTE Ltd and John Wiley & Sons, Inc.

4 Digital Transformation

Figure 1.1. Illustration source: adapted from CIMA (Chartered Institute of Management Accountants)

This definition has the merit of correctly highlighting that enterprise governance has two balanced objectives, namely “value creation” associated with the performance governance and “risk management” associated with corporate governance.

Enterprise governance deals with all of the decisions made throughout the life of the enterprise aiming to create lasting value by ensuring the development in the medium/long term of the company and by making sure that the risks that might pose a threat to it be quickly identified and controlled.

To do this, enterprise governance specifies all the responsibilities and the practices to be implemented by the boards of directors and the Executive Committees to:

– define the strategy of the company by exploiting as much as possible the opportunities offered by the new technologies;

– establish the targets to be achieved and ensure their declination at all levels of the organization;

– make the necessary resources available to achieve the objectives;

– verify that these are met;

– make sure that the risks are under control at an appropriate level with respect to the objectives of the company.

Enterprise Governance 5

It concerns the following:

– administrators who will acquire knowledge of the company and its modes of operation;

– all the managers who will find a context for reflection and for best practices;

– all stakeholders (shareholders, employees, public administrations, etc.), which will have in their possession a measure of the quality of management processes.

Enterprise governance revolves around the company’s “business” macro-processes

By specifying the roles and the responsibilities of the actors of the company in all of the decisions to be taken, in terms of value creation, risk management or resources optimization, enterprise governance is therefore a real process.

It can be represented in the form of a diagram comprising four axes for the implementation of “best practices” plus a “transversal” key success factor: the “business macro-processes”.

Figure 1.2.


Axis no. 1: development of the strategy

The company takes into account the expectations of its “stakeholders” (current and future customers, competitors, shareholders, employees, suppliers, bankers, public administrations, etc.) and the predictable evolutions of the environment (technological, economic, social, financial, ecological, political/geopolitical) as part of a formalized and structured approach that relies, for example, on the concepts introduced by M. Porter in his book “Competitive Strategy: Techniques for Analyzing Industries and Competitors”.

At the same time, it ensures the involvement of the relevant actors (“right men”), in this case, the Executive Committee, directors and managers at the “right time” and the “right place” in the decision-making process.

This approach should in fine ultimately lead to ambitious and realistic growth targets for each of the families of the company’s products, but also in the definition of industrial, human and financial resources required to achieve this growth.

Axis no. 2: operational break down of the strategy into objectives

Medium-term business planning makes it possible to assign concrete improvement goals consistent with the strategic objectives to the business macro processes (end-to-end management of customer orders, creation of product and services supply, integration of customers’ expectations, supporting processes, etc.).

Obviously this approach should combine all of the company’s management areas, that are the Executive Committee, the business units management, the finance, management control, audit and IT departments, etc.

Axis no. 3: business projects and resources mobilization in relation with the macro-processes objectives

The improvement goals associated at a first stage to the “macro-processes” of the company are “results objectives”, such as the time to market reduction of a new product for the “offer creation” process, the


production costs reduction for the “supply chain” process and the improvement of the rate of customer satisfaction for the “managing client expectations” process.

They must now be translated into “activities objectives” that can be attributed to the managers in charge of the functions contributing to the operation of the process: optimization of the production work plan, decrease in the response times to customer questions, ideas for new products or services better targeted, faster design of new products or services, etc.

Within the framework of the budgetary approach, “activities objectives” attributed to operational managers will be translated into action plans or business projects likely to mobilize the resources of the company in order to achieve the established objectives. These action plans or business projects always involve three inseparable components, the weight of each being highly variable depending on the context:

– organization;

– internal or external skills;

– information systems.

Axis no. 4: performance management and risk management

It concerns in fact two control processes that complement each other.

1) Performance management is a process implemented by the Executive Committee to ensure that business projects that it launches will correctly meet their objectives of performance and value creation for the business.

It is a process of continuous improvement, which results in verifying that the objectives assigned to the business processes are achieved with the aim of:

– implementing the preventive or corrective measures necessary for ongoing projects;


– redirecting, when necessary, the project business activities or the resources allocated to these projects;

– capitalizing on the experiences acquired;

– drawing lessons from potential failures to give the maximum chances of success for future projects;

– or even adapt the strategic path if the goals prove to be not achievable or are no longer relevant.

2) Risk management, however, is a process that aims at limiting risk taking to an acceptable threshold by identifying the following events that may affect the enterprise:

– risks of not complying with the performance targets that mainly concern the projects;

– risks related to the operation of the business processes in terms of availability, integrity, confidentiality;

– risks related to the internal control, in particular those related to the compliance with the regulations in force and to the reliability of the financial information;

– risks associated with failures of the regulation system of the company, for example independence of the board of directors and compliance with the ethical rules.

This process, which is implemented by the board of directors, executives and staff at the company, creates the conditions to enable the company to achieve its objectives and be sustainable.

A key factor of success: the “business macro-process”

The management of the enterprise is usually organized by functions (production, sales, marketing, design, development, human resources, finance, etc.) that are structured in a hierarchical way.

On the other end, the “macro-processes”, already mentioned previously (end-to-end management of customer orders, creation of products and services, handling of customers’ expectations,


supporting processes, etc.), give a transversal “customer-oriented” vision of the company. They allow:

– assessing the operating performance of the company;

– establishing concrete targets for improvement concerning present and future customers’ expectations, such as:

- improving the quality, compliance with delivery times, reduction of production costs, for the “order to cash” process,

- reduction of the “time to market”, co-engineering development, etc., for the “New Product creation” process,

- improvement of the percentage of very satisfied customers for the “handling of client expectations” process.

As we have seen in axis no. 4, these business macro-processes play an essential role in launching business projects that will contribute to the improvement of the performance of the processes. They are also essential in mobilizing the necessary resources through a number of drivers, namely organizational developments, the management of internal or external skills and the evolution of the information system.

2

Challenges of Enterprise IS Governance

Given the importance of the IS in the transformation of the company, the IS governance must naturally be part of the enterprise governance of the company and aim for the same goals. The main purpose is to ensure the future of the company developing it for the benefit of all stakeholders (shareholders, employees, customers, suppliers, public authorities, etc.) while protecting the value of the capital for the shareholders through greater transparency regarding business risks.

Just like the enterprise governance leads the board of directors and the Executive Committee into cooperating very closely, the IS Governance, because of the technical nature of the IS as well as its importance for the business, leads to a very close cooperation between the IT department and all operational business units that are “clients” of the IS. This approach of course remains the responsibility of the Executive Committee that should animate it.

To this end:

– executive managers should take an active part in defining the strategy of the IS by participating in the committees that deal with it;

– the Executive Committee has to provide the organizational structures that will enable the implementation of the IS strategy;





– the management of the IS function should keep in mind the company's business objectives and build bridges between IT and the other departments;

– all departments must contribute to the IS management and participate in the committees related thereto;

– the responsibility of the IS governance is part of the general framework of enterprise governance and should be treated just like any other strategic element of the working program of the managers. In other words, for the enterprises heavily dependent on their IS, the responsibilities of each of the actors involved in the IS governance must be clearly defined and controlled by the management of the company.

This is therefore referred to as Enterprise IS Governance (EISG) to clearly indicate that it concerns the company’s management of its IS with respect to its challenges.

As shown in Figure 2.1, IS governance should “support” in a balanced manner the two components of enterprise governance, which are performance governance and corporate governance.

Figure 2.1. Illustration source: IGSI (Institut de la Gouvernance des Systèmes d’Information)

It therefore pursues the same objectives, which are value creation and risk management.

Challenges of Enterprise IS Governance 13

2.1. Value creation

Because the IS supports the business processes of the enterprise in an increasingly critical manner in the context of the “digital transformation”, the improvement objectives of these processes will necessarily require the launch of “business projects”, whose IT component will gain increasing importance.

These projects are not IT projects strictly speaking, because they necessarily result in the evolution of the organization and the skills in the functioning of the processes that they impact. Neither are they strictly “business” projects, when taking into account the increasingly important role that IS plays in the functioning of the company’s processes. Their success is thus based on a close and harmonious coproduction between the IT department and the “business units”.

Providing the fertile ground upon which this co-production will be able to flourish is one of the major issues of EISG, on the “value creation” side of the overall enterprise governance of the company.

The key role of “business processes” in the interaction between the two governances

In accordance with the global scheme of the enterprise governance and instead of the IS recalled in the figure below, the IT projects should be seen as “IT components” of business projects.

Figure 2.2.


NOTE.– In Figure 2.2, as throughout this book, the notion of

“Information System” corresponds to the Wikipedia definition, namely “the set of all the resources (personnel, equipment, software, data and procedures) organized to collect, store, process and communicate information”.

It includes the services (computerized or not) upon which the processes are based, the IT applications that automate the services and the technical infrastructure allowing the usage of the IT applications.

The “business processes”, on their part, include the “business

resources” necessary to carry out the “activities” implemented in order to deliver the “products/services” of the process. These “business resources” require, from the staff, a number of “skills” whose “organization” will be described in procedures. In addition to these “business resources”, “the information system coordinates the activities of the organization through the structuring of the exchanges, and thus allows it to achieve its objectives”.

Since the strategic objectives of the company are operationally distributed at the level of the “business” processes, “business projects” will be launched to achieve these objectives on the basis of the “business case” approved by the Executive Committee.

These projects usually comprise three dimensions: a transformation of the processes, the introduction of new skills and the development of the information system. This shows that an IT project does not exist in itself but is part of a business project and of its “business case”.

Delegating the responsibility of the three dimensions to the business units will increase the chance of success for the projects in achieving the expected objectives. Within an enterprise governance framework, it makes it possible to ensure the strategic alignment of the different dimensions.


Figure 2.3.

The IT component of these business projects will show, in general, an impact on the three “layers” of the IS (see Figure 2.4):

– The service level (still called functional): the set of services (computerized or not) upon which the processes are based. A service is the elementary unit of the IS. It gathers a group of operations to be carried out in strong interaction among themselves. The services can be grouped into functional blocks (a billing service consists of executing several operations such as (1) handling of shipping data, rates and information related to the client, (2) calculation of billing elements and (3) transmission of the calculated elements to a recovery service);

– The IT applications level: the set of IT applications that automate services;

– The technical level: the entire technical infrastructure allowing the use of IT applications.


Figure 2.4.

Since the IS supports “business processes” that carry out the strategic objectives of the company, these “business processes” are the natural relationship between the company's global governance and the IS governance. The governance process of the enterprise's information system must allow a controlled and optimized development of the IS by balancing value creation and risk reduction and by conducting a process of IS urbanization at all levels. It sets the development framework of the IS, aiming at increasing its overall coherence to control the different standards of the enterprise, reducing redundancy and the complexity of its components and ensuring their interoperability. It constantly promotes a transversal vision of the IS, fosters the decompartmentalization of the various “silos” in the company and strengthens its consistency both internally and externally. It should enable the company's Executive Committee to drive the evolution of IS by taking all the parameters into account.

2.2. IS risk management

The “IT risk” framework of the ISACA distinguishes the following three great risks related to the IS:

– the risks related to the recurring operation;

– the risks associated with projects;


– the risks associated with the loss of business opportunities found in particular in the context of the digital transformation.

Risks related to the recurring operations: availability, integrity, confidentiality

The safety objectives at the “business” level (processes, organization, etc.) can be distinguished as “security requirements” at the level of the components of the IS, namely the IT applications (data, processing, etc.) and the infrastructures (equipment, networks, premises, etc.).

These “IS security requirements” are further divided into three main themes:

1) Availability: the ability to ensure the operational service continuity of the “business” processes. The “business” processes of the enterprise being increasingly more dependent on the IS, the consequences of a prolonged downtime can be serious and even catastrophic in financial terms, but also in terms of image.

The following are examples of actions that can be taken:

– server: to be “mirrored”;

– computer room: to be protected in terms of access, to be duplicated, etc.;

– network: headends to be protected, mesh network, etc.;

2) Integrity: it needs data accuracy and consistency, making it possible to ensure the proper functioning of the “business” processes. The right person must have access to the right information at the right time to undertake the right action.

The following are some examples that can be taken:

– access to the data to be protected by authorizations, networks firewalls, etc.;

– data need to be safeguarded in a safe place, one must be able to restore them without loss or alteration, etc.;


3) Privacy: the necessary privacy level has to be estimated, as well as the impact of a possible disclosure of certain data in the operation of certain process.

The following are examples of privacy requirements:

– an e-commerce site has access to a customer database, located on a server of its IT infrastructure and containing the banking information of the customer;

– the client database therefore has strong requirements for privacy, related to the sensitivity of the information that it contains.

Risk associated with projects: failure in meeting the objectives to improve the performance and to create value for the company in compliance with the triplet cost--quality--time

The Gartner Group estimates that 600 billion US$ are annually wasted in information system projects. The Standish Group believes that approximately 20% of the projects are failures, 50% are questionable and only 30% are successful.

An experience drawn from a project audit mission carried out by one of the authors of this book, certainly much more limited, but nevertheless highly instructive, illustrates the importance of the damages reported by Gartner Group: it concerns in effect a project that came to a halt after 8 years and 300 million euros eaten up “in lost capital”. The main reasons for the failure of this project may unfortunately be observed, in whole or in part, in many projects. That is why there is good reason to believe that a lot of progress remains to be achieved at the companies’ management level in order for IT projects to satisfy the objectives of performance improvement and of “value creation” for the company.

The “checklist” of bad practices leading to failure of projects notably includes the following items:

1) decision-making process too influenced by “political” decisions;

2) much too risky technological choices (“pharaonic” project syndrome);


3) choice of “tools” before having properly defined the actual functional needs;

4) functional design too “monolithic” to cope with changes in the context;

5) lack of anticipation of the skills necessary at the internal level which causes a dependence on external consulting firms;

6) project organization too complex and mainly taking away the responsibility from the “business management”, or conversely under-dimensioned project organization compared to the issues and the size of the project;

7) ”business processes” improvement goals gradually move out of sight as difficulties are encountered;

8) ”decoupling” between the “budgetary-legal” follow-up and the “operational” follow-up;

9) lack of project management plans (PMP) formally validated between the parties, as well as suitable management tools;

10) ”therapeutic harassment” once it becomes obvious that the project cannot be saved.

These evaluations and feedback show how it is important to control ISs from a financial point of view to ensure that investments in ISs are not boondoggles. They do not show what is often more critical for the company, namely the strategic consequences, which can be translated in terms of loss of competitiveness for the company and may result in jeopardizing its future existence.

Risk of missing “business” opportunities derived from a lack of control of IT technologies

Given the increasingly numerous “business” opportunities that information and communications technologies offer, the company should, through the IT department, exercise effective monitoring and identify in time the technological advances likely to be useful to the company. If not, there is a risk of lagging behind the competition, with the inherent associated risks in terms of growth, profitability or even continuation.

3

Objectives, Approaches and Key Success Factors of

Enterprise IS Governance

3.1. Objectives of Enterprise IS governance (EISG)

Help the company to better manage its challenges related to its IS

The governance of an enterprise’s information system (IS) is a management approach based on best practices, involving all of the managers and not only the IT managers. It aims to take advantage, for its development in the medium term, of costs incurred in its IS in order to obtain the maximal contribution to value creation. This is done by optimizing the consumption of resources and with a level of risk managed and adapted to the challenges, while developing transparency on issues related to the IS.

The EISG is based on the following:

– decision-making processes;

– decision-making bodies;

– standards and best practices;

– appropriate control frameworks;

– communication aimed at ensuring transparency.





It is based on a set of best practices, of very different natures, ranging from:

– operational subjects, such as the development of service level agreements or project management;

– to strategic issues, such as the contribution of the projects portfolio to the development of the business or organization;

– not forgetting economic considerations, such as the control of the costs of products or services provided by the IT department to its internal clients.

The more the IS is perceived as a “black box” which is difficult to understand and manage, the more these issues will become pressing or even suspicious. These questions emerge from all sectors of the company, as all are to a varying degree “clients” of IT and concerned by the IS. Depending on the sector, they have a different focus, which results in a very wide range of issues to which the IS management must respond:

1) the Executive Committee/finance department:

– how does IT contribute to the development of the company and to its performance?

– how does the IT budget compare with the competition?

– what is the link between the implementation of projects and the company’s results?

– why is the IT budget constantly increasing?

– is the IT department well managed?;

2) the business units which are clients of the IT department:

– are our investments in information systems profitable?

– how can IT help us to be more responsive with regard to the expectations of our customers?

– do the IT expenses charged to me reflect reality?

– wouldn’t the same services be cheaper externally?

Objectives, Approaches and Key Success Factors of Enterprise IS Governance 23

3) the internal audit department:

– are the assets and operations of the company properly protected?

– are the main business risks under control?

– are control processes and audit trails implemented and effective?;

4) the IT department:

– are we properly meeting the expectations of our environment?

– are we focused on the most useful topics to the business?

– how are our costs compared to external services?

– how can the productivity of the IT be highlighted?

– how can project requirements be met while maintaining a reduced budget?

The aim of EISG is to provide answers to these numerous and varied questions that the enterprise raises, quite rightly, about its IS and how it is managed.

3.2 Approaches, frameworks and ongoing reflections

Reminder of the works of the ISACA, AFAI, and IGSI (AFAI-CIGREF): COBIT, then Val IT and Risk IT frameworks completed by others ITIL, CMMi, TOGAF, PMI

As early as 1995, the Information System Audit & Control Association (ISACA) has been concerned about these issues and has developed Control Objectives for IT and related Technologies (COBIT), an audit framework of best practices to be implemented.

This framework, which was originally primarily intended for IT auditors, has gradually evolved to include the issues of EISG, focusing on what must be done so that IT and the IS are able to be put to the service of the enterprise and its challenges.


It was then completed by two frameworks dealing more specifically with the “business” problematics of EISG:

– Val IT, for aspects related to the objectives of “creating value” for the company;

– Risk IT, for what concerns risk management associated with the IS.

CobiT, Val IT and Risk IT have together been integrated into COBIT 5, which thus constitutes a complete “high level” framework for EISG, that is to say indicating what has to be done (the “what?”) rather than how to achieve it (the “how?”). It is a comprehensive “checklist” of what needs to be guaranteed, so that the IS be properly managed regarding the company’s strategy, rather than a “manual” for the implementation of the so-called “best practices”.

At the same time, and fortunately so, other organizations or associations have developed frameworks rather focusing on the “how?”:

– ITIL™ for the management of IT services;

– CMMi for the development of software applications;

– PMI for project management;

– E-SCM for the management of external services;

– TOGAF for enterprise architecture.

A faster awareness due to the Enron cases…

The cases of Enron, Worldcom, TYCO and others have resulted in the promulgation in the United States of the Sarbanes–Oxley Act (SOX), which has led to a set of regulations that companies must comply with in terms of risk management, starting with internal financial control.


These regulations were first gathered in the COSO1 framework, which offers a reference framework for the management of internal control, and which is intended to provide reasonable security regarding the achievement of the following objectives:

– execution and optimization of the operations;

– reliability of the financial information;

– compliance with laws and regulations in force.

The obligations in terms of risk management have then been extended to more operational risks and formalized in the COSO2 framework, which is today the authority at the international level. It includes the COSO1 and establishes a risk management framework for companies (“Enterprise Risk Management Framework”), which is a process implemented by the board of directors, the executives and the staff of an organization for the purpose of:

– identifying the potential events that may affect the organization;

– managing the risks so that they remain within the limits of “the risk appetite” of the organization;

– providing a reasonable assurance regarding the achievement of the objectives of the organization.

The COBIT framework has naturally become part of the corporate risk management approach to turn into, in a way, the prolongation of the COSO at the IS and IT level.

... but with a strong audit and control orientation that has been translated in 2011 into an “audit guide” developed between the IFACI-CIGREF-AFAI intended for IS auditors...

In practice, this recognition of the significance of the IS for the functioning and the development of the enterprise has resulted in a strengthening of the “controlling” processes, primarily aiming at a better management of the risks. The evaluation of these control processes has been entrusted to auditors, be they external within the context of external auditor mandates, or internal within the context of internal audits.


To facilitate the work of the auditors, the French associations IFACI, CIGREF and AFAI have jointly developed a “Guide to IS Governance Auditing” aiming at identifying the potential sources for improvement, using a global approach summarizing the best practices listed in all of the internationally recognized frameworks such as COBIT5 (incorporating Val IT and Risk IT), ITIL, CMMi, PMI, e-SCM and TOGAF.

The “Guide to IS Governance Auditing” thus allows auditors |to identify the main dysfunctions by means of a relatively comprehensive but exhaustive “helicopter” view, to then trigger more in-depth audits with the help of the most relevant frameworks, with regard to the identified problem.

It also provides a global overview of EISG that is relevant to the Executive Committee, the IT and business departments, before “diving” into the frameworks, if necessary. It aims at demystifying and reducing the specificity of the IS to make it accessible to the various stakeholders, since the multiplicity of frameworks and quality standards is often a source of misunderstandings, as a result of some overlappings or contradictions.

Because of its “auditing” orientation, this guide makes it possible to identify, for each good EISG practice, the potential sources for improvement. However, it does not give the Executive Committee an overall picture of how efficiently the company manages its investments in IS compared to its development and strategy requirements.

Yet, representing the foundations of the digital transformation, EISG becomes essential to provide the Executive Committee with this global vision, so that it can make well-informed decisions about the most important and urgent action plans to be implemented.

It should be recalled that it is the purpose of this book to equip the Executive Committee with a tool based on the assessment of maturity in EISG, thus enabling it to take the most relevant decisions to face the challenges of the digital transformation.


3.3. Benefits of the approach and its key success factors

It is a long journey, but the profits that the company can draw from this approach are largely worth the efforts being made. These are as follows:

– Return on investment: a better understanding of the impact of the IT component of projects in terms of their return on investment (ROI). Increased contribution of the IS to the objectives for value creation pursued by the company. Better planning of the development of the IS.

– Opportunities and partnership: positioning of the IT department as a strategic and operational partner within the company. Improvement of business relationships with the key IT suppliers. Development of the capacity of companies to respond to the opportunities and to the challenges of its market.

– Performance improvement: better identification of the capacity of investments in IT to support the company’s business units and create value. Increased efficiency in the execution of business processes. Greater capacity to not engage the company in “unnecessary” investments/expenditures.

– Compliance: support provided at the enterprise level to ensure compliance with legal and regulatory requirements.

– Transparency and accountability: improvement of the transparency of the costs of the process, projects and services portfolio. Clarification of the responsibilities regarding decision- making. Building of clear and engaging relationships between suppliers and service users.

Key success factors of an approach for improving EISG

When a company is looking to improve its level of maturity in EISG, it finds itself very quickly facing a number of difficulties and challenges that have to be mastered in the proper manner. These are as follows:

– An institutional approach (at the whole company’s level) should be preferred. Business units and IT departments must work together in


order to define the areas for improvement to be fostered and to control their appropriateness. A common and shared vision of EISG, based on a common language, must exist within the company. This vision has to be clear and its the perimeter within the scope of EISG. The priorities within this perimeter must also be approved by the Executive Committee.

– A commitment at the “Executive Committee” level is absolutely necessary to validate the priorities and the guidelines of the improvements to be achieved, to facilitate the correct implementation of the principles being adopted, and to clearly define and enforce the roles and responsibilities.

– A framework for reflection accepted by all is needed to measure the level of the initial maturity, to define priorities and account for the progress achieved. This framework must be widely communicated within the company. It should not be too stringent and should allow the company to ensure that the targeted objectives are correctly understood, and that best practices identified are correctly implemented.

4

How Can the Maturity of Enterprise IS Governance be Improved?

4.1. Scope of EISG and assessment of the company’s global maturity level To provide companies with a global vision of their maturity in EISG supported by an evaluation of the best practices

When a company addresses the governance of IT, it often feels like it is facing a complex challenge which is multifaceted and difficult to comprehend. This complexity reflects the diversity of issues that have to be taken into account as well as their transversality over the entire company.

Without concealing the difficulty of EISG, and without prejudging the sometimes significant efforts to be implemented in order to increase its level of maturity, it is important to face this challenge in the correct manner, maintaining a holistic approach, and to progress step by step in an incremental and pragmatic way.

The proposed approach makes it possible to address this governance and to improve its level of maturity in a simple and concrete manner. The objective is not to provide a procedure to follow step by step (which is, by the way, impossible to establish in the light of the diversity of situations and the multiplicity of problems that must





be considered) but rather to give guidance on the means that will effectively help the progress toward better EISG.

Before knowing where to go, it is always a good idea to know where to start. The first step of the approach thus consists of a diagnosis reflecting the level of maturity of the company in terms of EISG. The difficulty of the exercise lies in covering the full scope of this governance, without addressing potentially complex technical aspects at the initial level of this assessment, but instead ensuring that all essential aspects are evaluated at the company and IT management level of the enterprise.

The method proposed here is based on an evaluation grid of the maturity of the company in terms of EISG structured around 11 improvement vectors, initially defined by the Institut de la Gouvernance SI (IGSI), a joint association between the AFAI (ISACA’s French chapter) and the CIGREF.

The “11 vectors” of the IGSI

The perimeter of EISG has been structured by the IGSI, in “11 vectors” covering domains considered as:

– strategic (marked “St” in the figure below);

– operational and economic (marked “œ”);

– supporting (marked “Su”).

Although EISG best practices associated with the 11 “vectors” can be analyzed in a relatively independent manner, good governance of a company’s information system assumes that there is no serious failure in any of the “vectors” regardless of its nature.

Indeed, if the availability of the services is not guaranteed under the terms of the contracts concluded with the “business departments”, the IT department will have great difficulty in positioning itself as an active voice when addressing the Executive Committee on matters relating to the strategic IS “alignment”.

How Can the Maturity of Enterprise IS Governance be Improved? 31

Similarly, when service level agreements are respected, but IT resources are allocated to projects with little interest for the future of the company or organization, the IS will not really be contributing to the creation of value for the enterprise and, as such, it will not be possible to consider the IS governance as efficient.

Finally, if the costs of services are not properly controlled, it will be very difficult not only to guarantee the Executive Committee that the resources are used optimally, but also to develop, with the “client” entities, relationships of trust based on the transparency of the “quality/cost” ratio of the services provided.

Figure 4.1. The “11 vectors” of the IGSI

IS governance therefore concerns the three levels above in an indivisible manner. As a matter of fact:

– the desire to position the IS at the strategic level is unrealistic, if the operations are not under control;

– conversely, an IS that is performing at the operational level does not necessarily guarantee its contribution to the development of the company;

– and, in any case, the “supporting” activities must contribute to developing transparency and the proximity between the IT and business departments.


The best practices that the enterprise is supposed to have put in place for each of the 11 vectors in order to qualify for this level of maturity can be found in Chapter 5. They are listed in tables according to each maturity level.

These best practices have been identified and described for each of these vectors, not only from recognized frameworks (including COBIT, Val IT, Risk IT, ITIL and CMMi), but also and above all due to the contribution of experts and managers who have been facing a problem “on the ground” concerning the improvement of EISG.

For each of these vectors, levels of maturity corresponding to best practices to be implemented have been defined in Chapter 5 according to the following scale.

1. Awareness and beginning of implementation

– Companies have been aware of the challenges and have started the implementation of best practices.

– There is no organized approach, but case by case based initiatives, as well as individual ones, typically exist within the IT departments.

2. Collaboration with business departments

– Best practices have been developed. – They involve the principal executives of the company and

not only the IT department.

3. Generalization and formalization

– There is a global and coherent approach to pursue the implementation of best practices.

– They are formalized bearing reproducibility in mind. – The measurement of the results is made and subject to

follow-up at the Executive Committee level.

4. Integration in the management of the company

– The challenges of the IS governance are shared by all of the management.

– They are formally integrated into the company’s planning and decision process.

5. Continuous improvement

– The company has implemented a process of continuous improvement of IS governance.

– It is located at the level of the “best” ones.

The achievement of a given maturity level assumes not only that the best practices identified for this level are implemented but also that those associated with the lower level(s) have been implemented.


The importance of considering a global maturity level…

This vector by vector analysis of the maturity levels, although necessary, is not sufficient to reflect the company’s level of maturity in terms of EISG. As a matter of fact, good IS governance assumes that best practices be implemented in a coordinated fashion over the set of vectors, certainly with priorities related to the context of the company, but by making sure that there is no significant imbalance from one vector to another.

This is explained by the fact that the best practices identified through the 11 vectors are intended for different levels of IT management (strategy, operations, support) and that an insufficiency at any of the levels would prejudice the other levels.

For example, an operational malfunction in terms of response time or launching delay of the IT applications degrades the contribution of the IS to the company’s creation of value. Conversely, a good operational performance both in delivering recurring services and in conducting projects without alignment of the IS with respect to the company’s strategy does not guarantee a good level of contribution to the company's development.

…. in order to launch action plans for improvement resulting equally from the “EISG photo”, from the context of the enterprise and from its priorities.

4.2. How can it be properly initiated?

The measure of the level of maturity of the enterprise for each of the “11 vectors” of the IGSI gives a comprehensive account that allows the Executive Committee to become aware of the company’s strengths and weaknesses in the governance of its IS.

The representation of the different levels of maturity in the form of a radar with 11 branches appears to be one of the most effective ways


to render this global maturity. In the following theoretical example, the profile of the assessed company is shown by the inner triangular markers and clearly highlights the priorities for improvement.

Figure 4.2. The different forms of maturity, represented for an assessed company

4.3 What can be done once the diagnostics have been made?

An increase in the level of maturity of a company in terms of IS governance does not necessarily mean that the scores over all vectors have to be improved at the same time. Depending on the context of the company, its environment and the strategy retained, it is necessary and crucial to identify which vector must be acted upon as a priority.

Depending on whether it concerns a bank, an industry, a public administration, etc., and on the basis of the global maturity level of the company, this exercise for the development and the sharing of priorities must be conducted to avoid embarking “headlong” in a burdensome task that would eventually overwhelm its initiators: “do not bite off more than you can chew”.


The definition of priorities must also take into account the company’s context. For example:

– organic (new products) or natural growth (new markets): require a significant agility from the IS, and the management of the project portfolio is, in particular, a key factor;

– external growth (merger/acquisition): priority to IS urbanization, organization of the IT department, etc.;

– flat situation, mature or declining market: priority to the reduction of expenditures, primacy to management control;

– difficult situation, no visibility, crisis situation: priority to performance indicators.

4.4. How can the improvement process be initiated?

EISG is a dynamic and evolutionary approach. It is much more than a procedure or a recipe to be followed. It responds primarily to management objectives that must take into account the enterprise’s culture.

Once the priorities have been defined, the objective is then to identify and to gradually implement the best practices which are the best suited. Naturally, this implementation must be achieved in a progressive and adapted manner and in the context of a quality approach.

The identification of the right performance drivers in EISG allows the definition of a governance action plan comprising, in particular:

– the organization of the relationships between the Executive Committee, the IT department and the business units. Or in the context of projects, the relationships between the Project Owner (PO), the assistance to the PO (APO, very often provided by a consulting firm) and the Project Execution (PE) very often the IT department;

– the organization of the IT department;

– the management of the project portfolio and the decision-making process concerning the launching of projects;


– the IT master plan (in the urbanization, projects, maintenance and production senses);

– the skills on the IT side and on the business side, as well as internal versus external;

– the management of the IS by the company;

– the financial aspects, notably the management control of the IT department;

– the risk management etc.

PART 2

Evaluation of the Maturity of Enterprise Information Systems

Governance

5

Maturity Evaluation Criteria for Each of the 11 Vectors

Our ambition in this second part of the book is to provide a framework composed of best practices organized according to the level of maturity and that may be adopted by the majority of companies wishing to choose the pathway toward improving Enterprise IS governance (EISG).

We hope that it will allow any company, wishing to do so, to carry out its own assessment, define the level of maturity that it wants to reach and thereof to derive the strategic priorities for improvement consistent with its context.

Reminder: Achieving a given maturity level in the analysis of the vectors assumes not only that the best practices identified for this level are implemented but that those associated with the lower level(s) have also been. The importance is to consider a global maturity level.





5.1. Vector 1: IS planning and integration into the overall company’s planning process

5.1.1. Issues of this vector in the digital transformation

In order for the IS to make its optimal contribution to the strategy and to the development of the company as part of its digital transformation, it becomes essential that the IT department be a stakeholder involved very early in the process of strategic reflection of the enterprise. By appropriating the challenges of the company, it will be able to detect the most useful technological opportunities and include them in the strategic planning of the company.

5.1.2. Issues of the vector in terms of contribution to the IS governance

The IS development plan must be connected to the company’s planning process, but must also take account of technological developments and IT-specific projects and in particular:

– infrastructure developments;

– operational risks related to technology;

– hardware and software obsolescence;

– the optimization of the recurring costs of the IS;

– the operational effectiveness of the IS;

– the rationalization of the IT application portfolios.

By doing so, it constitutes a framework dedicated to decisions concerning the IS of the following natures:

– strategic: what are the company policies concerning the IS? How does the company consider the role of the IS to support its strategy?

– operational: how can this strategy be implemented on a daily basis? What changes can be made to the enterprise as it is today? Which projects should be launched in priority?

Maturity Evaluation Criteria for Each of the 11 Vectors 41

– financial: with what financial mechanisms can the company’s strategy be implemented at the IS level?

– technology: what guidance can be given to the architecture of the information system to become part of the company’s strategy? How can the company benefit from technological innovations?

It thus makes it possible to identify and qualify the IS action plans to be promoted in the coming years so as to support the company’s strategy.

5.1.3. Best practices associated with the vector and measurement of the company’s maturity level in the vector

Level 1 – The company has evaluated the importance of the IS in the

operation of its business units and their development. – There is an objective of the IS to be achieved in the medium

term, but most often it integrates a technological dimension only and is not shared with the business units.

– Initiatives, generally proposed by the IT department, are subject to a case-by-case validation either by the company’s management or an ad hoc body.

– The IT department’s reporting is mainly budgetary and “short-term” oriented.

Level 2

– Without participating in medium-term planning work, the IT department is kept informed about it in order to build IT solutions in line with the orientations and the business projects.

– Having a good knowledge of the company’s operation (regardless of how this can be obtained), the IT department develops jointly with business units the IT solutions that are the most appropriate for the company’s strategy.


– The IT department has conducted an analysis of the existing IS (application and technical) in order to identify the key issues likely to impact the proper functioning of the enterprise (obsolescence, lack of flexibility, etc.).

– At this stage, it is still not possible to mention any IS development plan. However, formalized action plans are developed to adapt the IS to the company’s requirements and to address the main risks identified.

– The synthesis of these action plans is validated by a decision-making body (not specifically dedicated to IT related issues) comprising the business units.

Level 3

– In the context of the development of the enterprise medium-term plan, the IT department is consulted in order to contribute.

– The IT department designs the most appropriate IT solutions responding to the enterprise medium-term plan in collaboration with the business units IT solutions.

– The IS medium-term development plan is formalized and regularly updated.

– The implementation of this plan is monitored through progress indicators.

– This monitoring is carried out in the context of the mid-term planning and the monitoring approach of the enterprise.

Level 4

– The IT department participates in all meetings concerning the medium-term planning of the company in order to:

- contribute via innovative proposals in the field of ICTs to implement (or even influence) the company’s strategy (NB: the term strategy here includes the target to be reached and the means to get there);


- understand and integrate the business objectives given by the operational managers to identify and build the most appropriate IT solutions;

- formalize through objectives and action plans the “IS” component of the company’s medium-term plan.

– An instance similar to the SDCITIS (Steering and Decision Committee concerning Information Technology and Information Systems: see Vector 4) validates the IS development proposals. It is managed by a representative of the Executive Committee and includes representatives of the business units as well as from the IT department. This instance supervises the implementation of the IS plan in the medium term, using a comprehensive dashboard. In this context “comprehensive” means a dashboard taking into account a set of relevant indicators chosen by the Executive Committee, the business units and the IT department.

Level 5

– The IT department is fully integrated into the company’s planning process and makes it possible to take into account the technological innovations, supposed to be helpful to its development.

– Financial, IT and business resources necessary to the achievement of the objectives of the strategic plan of the IS are allocated in the context of the company’s planning approach. This allocation is arbitrated by the SDCITIS.

– The progression towards the objectives defined in the development plan of the IS is measured through performance indicators that are communicated to the Executive Committee and the business units.

– These performance indicators are regularly analyzed by the SDCITIS, and improvements are identified and implemented.

– The SDCITIS is managed by the Executive Committee or by a representative mandated for this purpose.


5.2. Vector 2: IS urbanization at the service of strategic challenges in the frame of the Enterprise Architecture1


The IS urbanization remains one of the key success factors for the digital transformation of the enterprise. In its oversight function, it provides solutions on technological aspects. One of the challenges of the architecture is to be able to quickly integrate the new IT applications into an infrastructure guaranteeing their consistency and their ability to communicate with each other.

Among the technologies that the architecture must integrate: Big data, cloud computing, architectures related to collaborative networks, security, etc.


The urbanization brings:

– a global, coherent and shared vision of the IS by means of mappings (cadastral urbanism);

– the definition of a “to be” IS aligned with the business units and the company’s strategy, as well as the definition of a trajectory (roadmap, forward-looking urban planning) to reach it;

– the identification of gaps between the “as is” system and the desired target.

1 The two following definitions coexist. We consider that they participate toward a same purpose that is reflected in the challenges of the vector within which the term urbanization is retained: – IS urbanization: “Organization of the progressive and continuous transformation of the IS with the objective to simplify, optimize its added value and make it more responsive and flexible regarding the strategic developments in the company, while relying on the technological opportunities of the market”. – Enterprise Architecture represents the manner in which the company operates and must transform itself. It is used to drive the transformation. It brings together all of the actors of the company and facilitates their synergy. It provides a target, a gap analysis and a migration planning. It is a dynamic and iterative process.


Urbanization is able to inform decision-makers on the development choices of their IS and therefore on the level of investment required.

It allows:

– to identify the rationalization axes of the IS (redundantly implemented functions, data frameworks that would deserve to be widely shared, rationalization of the flows between IT applications) that will bring a reduction in IT costs (promoting reuse reduces IT maintenance costs) and a reduction of risks;

– to facilitate the prioritization of the requirements and the projects;

– to globally analyze the impact of the projects portfolio over the whole IS.

Figure 5.1.


As it is recalled in Figure 5.1, the developments of the IS architecture derive from the business challenges and from the goals set to the managers in charge of business processes. Apart from business processes, they concern both the infrastructure layers and the application layers of the IS. Obviously, the lower layers can also generate constraints to be taken into account by the upper layers.

However, too often the mapping serves only as a purely documentary means, while other uses are possible. It allows for example management controllers to charge business unit and other beneficiaries of services on the basis of a breakdown of the IT costs per IT application. This re-invoicing mechanism is detailed in vector 5 dedicated to the economic management of the IS.


Level 1 – There are various IT applications or infrastructure mappings,

but they are unrelated to the functional maps or to those of the business processes.

– Norms and technology standards in force within the IT department are formalized and their use within the projects is growing.

– A diagnosis performed by the IT department and concerning the situation of the IS in terms of flexibility, obsolescence risk, maintenance costs, data and IT applications redundancy has been carried out.

– There is a communication designed for the business units. It presents the process of IS urbanization and its added value for the enterprise.


Level 2 – Different maps show how the IT applications support and/or

enable business processes. This assumes that: - the business processes themselves have been identified and

formalized not at an “operational” detail level but at a “managerial” level sufficient to apprehend their main characteristics (purpose, inputs/outputs, main activities and actors, objectives for improvement);

- the functionalities offered by the IT applications and the connections they maintain between themselves are plugged with the business processes;

- a “to be” IS mapping in the medium term has been developed in collaboration with the business departments.

– Some cross-sectional data (for example customers, products, suppliers and prices) are stored in dedicated repositories used by all the IT applications that need them.

– The norms and standards are consistent with the state of the art of the IS ecosystem and are effectively applied to the projects thus promoting a coherent IS architecture.

Level 3

– The mapping process is formalized. It anticipates the roles and the responsibilities of all involved actors including those of the business units and it is communicated to them.

– There is a development plan of the application and infrastructure layers of the IS in the medium term (3 years) that takes into account the assessment of the “as is” situation (see level 1), the coherence needs arising from the business processes and the norms and standards defined by the IT department.

– This plan, which represents the basis for an IS Master Plan, allows that the IS be developed following an architectural coherence (business, functional, application and technical) with the actual involvement of the business representatives.


– This evolution includes a vision of the “to be” IS urbanized per functional modules reusable by multiple business processes.

– The maps are systematically used during studies prior to project launching in order to comprehensively measure the impact on the IT application assets and thus orientate the IT solutions to be promoted.

– The main cross-sectional data are stored in dedicated repositories. They are documented in a data dictionary comprising in particular their definition, their owners and their life cycle.

– An instance has been put in place to investigate and validate the developments in the rules and standards of the IS architecture.

Level 4

– The dialogue that exists within the enterprise between the business units and the IT department makes it possible to translate the business objectives associated with the processes into inputs for the IS development plan.

– The IT department has formalized a multiannual and rolling IS master plan (ISMP). It is regularly reviewed and validated by the SDCITIS that includes the Executive Committee and the business units (see Vector 4).

– The SDCITIS is informed of the nonconformities noted regarding the rules and standards of the IS architecture. It takes the corrective measures that are necessary and ensures their proper implementation.

– The main cross-sectional data are stored in dedicated repositories and are made available to IT applications.

– The major IT components are developed to be reusable for the IT applications portfolio.

– A mapping tool is shared and recognized by all the actors (projects, production, architects, crafts), as the official repository for all the information belonging to the IS and IT assets.


Level 5 – All of the IS mapping (“as is” and “to be”) is supported by

adapted tools that facilitate its update and perpetuate the initiative. – Enterprise architects contribute to the strategic plan of the

enterprise by making use of the information resulting from the urbanization.

– The update of the IS development plan is integrated into the process of strategic planning of the company in the medium-term and involves both involving the IT department and business departments.

– This evolution is formalized by means of a multiyear and rolling IS master plan (that is periodically reviewed at the frequency of the strategic planning process of the company and formally validated by the SDCITIS).

– The main cross-sectional data stored in the dedicated repositories are regularly controlled and an owner is responsible of it.

5.3. Vector 3: Portfolio management of value creation-oriented projects


Short digital cycles require that the technologies be quickly apprehended and implemented. Due to the short cycles of the new digital world, the management of the delivery time becomes predominant compared to the other drivers (budget and functionalities). The information system should enhance the business performance drivers, which requires a significant collaboration between the IT department and the business units. The adequacy between the possibilities offered by the technology and the reflection on the business models creates value in the digital world.

In this context, it becomes even more necessary to experiment new technologies to assess their interest, before integrating them into the projects. These experiments may need investment without any


initial guarantee of success and without business case. The main purpose is to consolidate the returns on investment and to allow business cases.

5.3.2. Issues of the vector in terms of contribution to the IS governance2

Properly evaluating each IT project, building a strong opportunity study case, involving the executives in project launching or redefining decisions, measuring the results achieved are obviously essential and already represent a high level of maturity and requirement.

However, due in particular to the multiple dependencies between projects, this is not enough. In addition, remaining at this level is a risky and incomplete IT investment approach as well as a shortfall in the IS governance model.

The alignment criteria of the IT projects on the company’s strategy and on its value creation objectives must be assessed on the basis of a global vision of the project portfolio and not on each project taken individually. As a matter of fact:

– the strategy of an enterprise is decomposed into several axes: a good portfolio consciously covers the totality of these axes (e.g. innovation, partners and customers relationship management and operational excellence);

– the overall value of a portfolio is not the sum of the values of the projects that it comprises: it will also be assessed in terms of synergies between complementary projects, contributing to the same major objectives;

– the feasibility of the portfolio can only be assessed globally, based on an estimation of all the resources to be mobilized, especially

2 Source: The vast majority of the elements of this paragraph are extracted from the book “Analyse et pilotage de la valeur d’un portefeuille de projets, système d’informations”/AFAI – Collections pratiques professionnelles” and from the Val IT framework issued by the IT Governance Institute (Institute's site: www.itgi.org).


concerning competing projects, changes to be implemented and new skills to be developed;

– IT resources being limited: the good allocation of these resources according to the business challenges must be translated into a workload derived from the global project portfolio.

Therefore, the objective of the value creation-oriented projects portfolio is no longer of only “selecting the best individual projects” but of “constituting and guiding the best project portfolio possible” , by optimizing the use of IT and business resources:

– aligned with the company’s strategy;

– generating risks coherent with this strategy;

– with high added value;

– realistic from the point of view of the resources to be mobilized and the changes to be led.

The management of the portfolio of value creation-oriented projects in addition to a project-by-project-based decision process provides:

– a rebalancing of the IS investment budgets often cannibalized by projects with limited ambition, but with quick profitability or even by routine maintenance;

– taking dependencies into account between projects (synergies or incompatibilities in resources and impacts, same impacted business processes, shared technological components, etc.);

– a projects portfolio aligned with the strategy of the company, with better controlled balance and better risk distribution;

– a better contribution to the value creation of the investments in IS.

A portfolio of projects should be embodied by a sponsor member of the executive board that determines the objectives and take the decisions regarding the integration of new projects in the portfolio. Generally, this sponsor is the coordinator of the SDCITIS.

52

morfu

5.m

L

bds

mbb

2 Digital Trans

The good mmaximize thei

rganized in undamental q

Fig

.3.3. Best measuremen

Level 1 – Compan

be apprehenddifferent cosystem.

– Decisiomost importabusiness unibusiness prof

sformation

managementir contributiothe Val IT

questions as s

gure 5.2. (Sou

practicesnt of the co

nies have beded at the buomponents:

ons concerninant) are baseits and presfits.

t practices oon to the valuT frameworkshown in Fig

urce: ISACA/I

s associatompany’s m

ecome awareusiness levelorganizatio

ng the launced on a “busisenting in a

of a projects ue creation f

k of the ISgure 5.2.

TGI VALIT fra

ted with maturity le

e of the fact l and that thnal, skills

ch of IT proiness case” d

a minimal f

portfolio aimfor the compACA/ITGI

amework)

the vectoevel in the v

that projectshey are made

and inform

ojects (at leadeveloped wform the ex

ming to pany are in four

or and vector

s must e up of mation

ast the with the xpected


– The state of the progress of the projects is followed individually by the steering committee of each project. There is no cross-project coordinating body.

– A consolidated list of individual projects has been developed and updated by the CIO, but it is yet too soon to mention any project portfolio management.

Level 2

– The “business cases” are developed by the business departments and integrate project-related activities (and not only the IT component).

– Their content and their level of detail are adapted to the importance for the enterprise of the issues addressed by the projects as well as to the typology of the projects (regulatory projects, business transformation projects, infrastructure projects).

– The projects whose challenges are significant for the company are systematically subject to an analysis of their business case before the launching decision. This analysis is based on homogeneous criteria and recognized by the entire company.

– There is a consolidated vision of all of the projects, which is structured by categories (mandatory vs discretionary projects, ongoing projects vs projects to be launched, aligned vs. unaligned projects, etc.), and clearly indicating the business processes to which they contribute.

– A recognized project management methodology is used and a report of the progress of the projects (costs, deadlines, achieved operations, “to be done”, etc.) is developed by the IT department and communicated to the relevant business departments.

– Regarding the projects whose IT component is significant, the credibility of the business cases is supported by the creation of prototypes enabling the IT department to quantify more precisely the associated costs and the investments to be made.

– The business cases integrated in a consolidated vision of all the projects (segmented depending on the types of challenges: trade development, operational, financial, regulatory, technological performance, etc.) constitute the projects portfolio of the company.


– Projects portfolios are prioritized according to the business benefits expressed in the business cases.

– This portfolio of prioritized projects is used for making decisions concerning the launching or the redefining of projects by a body that goes beyond the mere scope of the IT department and that includes business representatives.

– Business cases are periodically updated in case of significant changes in the context, or if the project management shows significant deviations with regard to the path originally scheduled (in terms of budgets, deadlines and functionalities).

– The management of the projects portfolio on behalf of this body is entrusted to a clearly identified executive.

Level 3

– The business cases satisfy the following quality requirements: - they are developed under the responsibility of the business

departments with the participation of the IT department; - they are achieved iteratively with decision points allowing

ongoing work to be reoriented (framing phase, exploratory phase, formalization phase);

- their content is consistent with the best practices recommended by Val IT in order to demonstrate their contribution to the value creation for the enterprise. They integrate all of the activities necessary to the achievement of the value creation objectives (processes adjustment, skills development, change management, etc.) as well as the necessary resources;

- they clearly identify the business executives who will be responsible for achieving the business objectives being pursued;

- they express the inherent characteristics of each project (budget, schedule, functionalities, sponsor, etc.) and especially its contribution considering the business objectives being pursued;


- they are materialized by an evaluation of the return on investment (ROI) of the business project that exceeds the mere financial point of view and integrates enterprise-specific value creation criteria shared and recognized by all;

- they bring forward the compliance of the project with the IS development plan in the medium term as well as the risks associated with the decision to carry it out or not.

Level 4

– The projects portfolio is controlled by the SDCITIS (see Vector 4), which relies on a formal body (sometimes called “Project Management Office” [PMO]) to ensure daily management.

– A demand management process is implemented. The projects are eligible for the projects portfolio provided that:

- their financial and/or strategic relevance is validated through a business case;

- they are consistent with the IS Master Plan; - they comply with technological norms and standards.

– Updated business cases are used by the SDCITIS (see Vector 2) to make all the decisions concerning redefinitions or even cancellation of the projects.

– An implementation plan of the projects is developed in order to achieve the goals that are assigned to the IT department in terms of putting projects into operation.

– They are also used as a framework to establish the review at the end of the projects and mainly to assess the reality of the value creation obtained by the business after being put into operation.

– The portfolio of projects includes projects that are still in their initial phase (feasibility study) so that to have as early as possible a perspective of the requirements expressed by the business units and thus to build up the strategic planning of the IS.

– Apart from the consolidated perspective of all of the projects presented at levels 2 and 3, the project portfolio is managed bearing in mind a search for balance and overall optimization at the company’s level between value creation and risk minimization.


– The “to be” project portfolio and the route to achieve it take into account the available business and IT resources as well as the ability to mobilize them.

– The projects portfolio is mapped and scheduled taking account of the size of projects, of the challenges, of the difficulty in their implementation (maturity of technological innovations, organizational impacts, etc.).

– The monitoring of the proper completion of the projects requires to have: a good understanding of the situation of each individual project (budgets, deadlines, and functionalities originally planned to meet the pursued business objectives). In addition, a consolidated vision of the portfolio of ongoing projects, through a dashboard, makes it possible to identify the impacts on the other projects in the current portfolio and on the upcoming launching decisions. These information are reported to the SDCITIS that integrates them and takes the decisions that are necessary to ensure that the portfolio of projects will reach the expected level of value creation.

Level 5

– A “to be” project portfolio arising from the IS Master Plan serves as a reference framework for the SDCITIS to launch projects on the basis of the proposed business cases.

– To do this, the SDCITIS must equally take into account the reality of the portfolio of ongoing projects, the frame resulting from the budget and the competencies needed (IT & business).

– There is an overall business case of the portfolio of projects that reflects the strategy deployed in the enterprise. This business case is revised whenever a project integrates the portfolio of projects or when another is delivered.

– The results, in economic terms, of the project portfolio are correlated to the company’s profit & loss account.


– Once in operation, the most important business projects are systematically subjected to an evaluation in order to verify that the business profits defined in the “business case” have been achieved.

– The feedbacks originating from these evaluations are capitalized to improve the management of the projects portfolio of the enterprise and be inserted into a continuous improvement process.

– The PMO works on behalf of the SDCITIS but is hierarchically dependent of the Executive Committee.

5.4. Vector 4: alignment of the IT organization with respect to business processes


Confronted with the necessity to quickly move forward, conventional decision-making processes are questioned especially if they go through the whole chain of command. To overcome this problem, the IT function in companies should be structured to facilitate a closer business proximity.

To this end, several levers can be operated on the appointment of managers on the IT department side in charge of the relationships with the business; the promotion of work in “project mode” with Business/IT resources gathered under a same responsibility (this responsibility may be assumed either by a representative of the IT department or of the business according to the nature of the project and the required skills), the creation of a Chief Data Officer (CDO) position, etc.

5.4.2. Issues of the vector in terms of contribution to IS governance

Even if Enterprise IS Governance (EISG) does not entirely depend on the organization of the IT department, since it concerns mostly the manner how the company is organized as a whole to most effectively drive its IS towards its business development issues, it remains


obvious that some types of organization will facilitate a harmonious functioning of the EISG while others will represent a handicap.

Schematically, the more the organization of the IT department will focus on itself and its IT skills, the less it will be listening to its internal “customers” and to its end users. Conversely, a more “open” organization (driven by decision-making bodies closely associating the IT department and the “business units”) will be able to create value by contributing effectively to improving the performance of the “business” processes and thereby to the development of the company.

As an example:

– an IT department organized in two sections (production and studies), as it is still frequently encountered, is not naturally “customer-oriented” and generates “partitions” of the IT department, which may be counterproductive in terms of responsiveness in taking account of the needs of the business;

– conversely, an IT department organized in a matrix manner with an axis segmented by “IT competencies” (usage, networks, IT application development, integration, support, etc.) and another axis segmented by “business processes” will facilitate the decompartmentalization of the IT department to orientate it toward the “clients” and not only toward the “IT competencies”. It will also promote the collaboration between the “business units” and the IT department, the proper accounting of the requirements of each “business process” and the communication with the “business units”.

These two examples illustrate in an inconclusive manner that there is no typical IT department organization because it may vary depending on the level of maturity of the company in the way it steers the development of its IS. On the other hand, certain types of organization are more suitable than others in order for the IT function to properly take the business objectives into account.

As shown in Figure 5.3, a matrix organization has many advantages especially in terms of business orientation, but it is relatively complex to operate and cannot, in any case, concern only the companies with a high level of maturity, in which the IT


department is actually considered as a partner by the business departments.

Figure 5.3.

In this business orientation of the IT function, we must nevertheless not forget that it is necessary to capitalize on transversal expertise to not constantly reinvent the “wheel” (on topics such as IS architecture and BI) and share certain services (hotline) and infrastructures to optimize the costs.

In any case, it would be mainly necessary to clarify the respective roles of the Executive Committee, the “business units” and the IT department in the decision-making process, which will allow the “recurring” services (run) to become available and to be developed in accordance with the needs of the enterprise, and especially to develop “transformation” projects (build), which will actually contribute to improving its performance. This decision-making process, which must ensure a “co-production” between the IT services and its “clients”, will notably include the creation of decision-making bodies (such as the SDCITIS) guaranteeing the good representation of the Executive Committee, “business units” and the IT department. At a more operational level, particularly in the context of “transformation”


projects, IT projects will be considered as the “IT components” of “business projects”, including all the organizational consequences that may arise thereof and that must be formally specified.


Level 1 1) Interconnection of the IT department with the company’s

business units for the planning and decision-making processes – There is a body bringing together business units and the IT

department that decides on the launching of the business projects with a significant IT component using therefor business cases at the level 1 of the vector 3.

– For each business project with a significant IT component, there is a project manager in charge of all the components of the project. He/she is either coming from the IT or from the business departments but is designated jointly by the IT and the business units managements.

2) Implementation of the IT department–business units interconnection at the IT department organizational level itself

– The IT department has identified “IT project leaders” within its workforce.

Level 2

1) Interconnection of the IT department with the company’s business units for the planning and decision-making processes

– There is a decision-making body bringing together business units and IT department that decides, not only on launching the projects, but also on their following-up and on potential needs for reorientation.

– There are executives within the business departments in


charge of the issues related to the IS. They work in proper harmony with the IT department.

– Each business unit identifies leaders for potential business projects and trains them to acquire the necessary skills.


– The identified “IT project managers” are trained and have the necessary skills.

Level 3


– The projects launch and redefinition decisions are not only made on a case by case basis, but within the framework of the projects portfolio management level-3 (see section 4.3).

– Business project managers within the business departments of the company are federated and have developed their community within which they exchange their experiences and best practices.

– IT department representatives (at the group or business units levels) participate in the various business executive committees of the enterprise.

– The CIO participates in medium-term planning and budget meetings.


– There is within the IT department a single contact point for each of the business units (a kind of “account manager”). It is in charge of the relationships with the business for the recurring services and the projects.


– This “account manager” is responsible for the development of service level agreements (SLAs) as well as that of PMP (Projects Management Plan).

– Within the IT department, there are functions/skills, cross-”account managers” and cross-sections IT department, in order to ensure the coherence of the different layers of the architecture (business, functional, technical and application).

– Within the IT department the several “IT project managers” exchange their experiences and best practices within a network.

Level 4


– The projects decision-making body is structured in the form of a SDCITIS (Steering and Decision Committee concerning the IT and the Information System). Composed of the main business or functions directors of the company and of the IT department, its missions are in particular to:

- propose IS medium-term plans for validation by the Executive Committee;

- validate its implementation into multi-annual and rolling road map;

- manage the portfolio of “business projects” with a significant IT component using notably the business cases (launch decision, monitoring of the progress of the projects, allocation of human and financial resources, reorientation in case of deviation, projects assessments, etc.);

- validate the IT budget. – The SDCITIS relies on an organization comprising various

structures or actors responsible for ensuring the completeness and the consistency of the business cases, as well as the proper execution of the roles and responsibilities of the different actors involved in the process (business actors, IS architects, financial responsible, risk managers, etc.).


– The experiences of the various “business projects leaders” are capitalized through a process of continuous improvement, which allows to develop at the company’s level common methodology and practices.

– The “business project leaders” are capable of driving the projects throughout their lifecycle and according to all their components (organization, competence, IS) and of ensuring that business units assume their roles and responsibilities throughout each stage of the lifecycle of the project.


– The “account manager” within the IT department in charge of the relationship with a business, both for recurring services and projects, is empowered to mobilize the resources/skills of the IT department in order to optimize the compliance with SLAs agreed with the business and the progress of the projects relating to the business. He updates a dashboard of the SLAs and of the progress of the projects and reports it both within the IT and the business managements.

– The experiences of the various “IT projects leaders” are capitalized through a process of continuous improvement and provide a means of devising a methodology and common practices within the company.

Level 5


– The SDCITIS is controlled by the Executive Committee (or a formally mandated representative) and animated by a PMO, which is attached to the Executive Committee.


– Within the IT department, the responsibilities of the “account managers” for each of the business units are formalized in a matrix organizational framework specifying:


- “vertically”, the organization of the IT resources by type of skills;

- “horizontally”, the role of the “account manager” that is to activate, in a cross-section fashion, the IT skills necessary to comply with both the service level agreements (SLAs) for the recurring services and the projects management plan (PMPs) for the projects that have been agreed upon with the business units.

– Any disputes related to the use of resources between projects or services belonging to various business units are refereed by the CIO in accordance with the priorities of the company.

– The IT department has been organized to acquire recognized “IT project manager” skills. They are able to manage the IT component of the business projects. They ensure that the various IT actors (internal or external) of the IT department assume their roles and responsibilities for each stage of the lifecycle of the IT component of the business projects. These IT project managers are attached for the duration of the project to the “account managers” of the concerned business units.

5.5. Vector 5: IS-related budgetary management and costs control promoting transparency

5.5.1. Vector challenges in the digital transformation

Concerning the digital transformation projects, a management centered on the concept of the IT budget restricted to the IT department is inoperative because the “shadow IT” component, which is potentially very significant to the business, is missing.

The digital governance is supposed to have dedicated envelopes, defined by a top-down approach, allowing the launch of agile projects during the year. These projects require a win–win joint IT department/business units responsibility. To foster innovation, experimentations should be authorized within this framework.



Challenged for increased performance requirements, companies have more and more reasons to economically justify their projects and to optimize the recurring costs of products and services.

In this context, the management control of IS should help the company to implement:

– business cases justifying the expected benefits of the projects;

– a process for monitoring the completion of the projects in terms of costs, deadlines and steps remaining to be done;

– a transparent accountability highlighting the project benefits and resource allocations;

– a valuation of the costs of the products and recurring IS services allowing to benchmark with other companies within the same sector;

– appropriate metrics allowing the monitoring of the IT budget in its various components.

Figure 5.4.

As shown in Figure 5.4, the IT budget is composed of two main components (products and recurring services versus transformation


projects), which should be properly distinguished, each related to a completely different management mode:

1) Recurring products & services: As for a production plant, the objective is to produce at lower cost for a given quality level. The evolution in time of the unit cost of products and services, for an equal level of quality, is the indicator of productivity and therefore of performance in the management of this part of the budget.

Thus, highlighting the unit cost of products and services provided by the IT department to its clients is essential to be able to correlate it with the levels of quality agreed with the clients and formalized in SLAs.

Similarly, knowledge of the costs of the internal activities of the IT department as well as of the products and services provided by the IT department to its clients is a prerequisite in order to be able to make outsourcing decisions on the basis of factual elements.

2) Transformation projects: projects obey a completely different logic compared to the one experienced with recurring products and services. This time, projects are an investment for the future, from which the company is entitled to expect a “return” in terms of competitive advantage, of financial gain, of qualitative gain (improvement of traceability, reduction of development times, etc.) or of compliance relatively to regulatory constraints. In all these cases, this is referred to as “value creation” for the company.

The launching of such business projects with a significant IT component is therefore a decision of the Executive Committee and the business units, after consulting with the IT department. In any case, it cannot be a decision of the IT department only.

In order for the Executive Committee to be able to make informed choices concerning the projects, it is essential that these should be presented as part of a global projects portfolio management, in the form of a “business case” validated by the business units and by the IT department.


Once the launch decision taken by Executive Committee, the IT department will be responsible for complying with the “cost, time, quality” aspects of the launched projects and of their impact on the IT budget. However, the main impact on the IT budget obviously comes from the decision of launching or not such or such project.

“IT applications evolution” represents an intermediate “gray area” that should be added to these two main components and relates to a third mode of management. Instead of transformation projects contributing to the company’s strategy, IT applications evolution designates, most often, projects requested by the users to improve the operation of existing systems.

Whatever the interest of these recurring improvements, which are not subject to “business cases” and that are not decided by the Executive Committee, it is important to frame them within a budget allocated per IT application in the context of budget negotiations.

The objective is to keep sufficient development resources to available for the transformation projects, but also to preserve the skills necessary for maintaining the IT application in operational conditions.

In any event, the IT budget (whether it is under the responsibility of the IT department or of the business units) should be monitored both in terms of operating expenses and spending commitments. Regarding the projects, they require in addition a multiannual monitoring, which should interrelate with the annual budget.


Level 1 1) Global budget preparation and monitoring – The company has a comprehensive IS budget including all IS

and IT costs namely hardware or software depreciations, human resources costs and space occupancy costs.


– This budget is broken down per IT department executive, to whom the possibility of charging certain expenses has been entrusted by delegation.

2) Recurring IT services – The IT department has identified the key services it provides

to its internal clients as well as the activities necessary to the execution of these services.

3) IT applications evolution – IT applications evolution criteria have been defined to

distinguish it from corrective maintenance and from major IT projects (IT component of business projects).

4) IT component of business projects – The IT department is able to ensure a monitoring of projects

in terms of costs, but not necessarily of the full costs at this stage.

Level 2

1) Global budget preparation and monitoring – The consolidated IS budget is followed in comparison with

the initial budjet and as a ratio compared to certain items in the income statement of the company (for example operating expenses and turnover).

– The IT department involves the business units in its resource allocation decisions, in particular those concerning projects.

– The IT department has a segmentation per client of its overall budget, but this is based on an empirical approach and on many estimates, which is not sufficient to completely justify invoices for business clients.

2) Recurring IT services – The IT department has developed jointly with its “business

clients”, a catalogue of services defined, not as a technical list, but as a list emphasizing on client benefits.


– The IT department monitors the time spent with the activities contributing to implementing the recurring services, both technical and application-based, especially concerning corrective maintenance.

3) IT applications evolution – IT department time sheet distinguishes the time spent on the

evolutions of each application 4) IT component of business projects – The IT department time sheet distinguishes the time spent on

each project. – The monitoring of the projects costs integrates all internal and

external costs excluding the consumption of shared resources (servers, etc.)

– The costs are analyzed by the different management instances of the IS.

Level 3

1) Global budget preparation and monitoring – The IS budget managed by the IT department shows a clear

distinction between the expenses related to the recurring IT service, those related to the IT applications evolution, and those related to the IT components of the business projects.

– It is the result of a formalized budget development process, in which the roles of the actors are well defined, whether they belong to the IT department or to the business units.

– The finalization of the IS budget, as well as the corresponding arbitration is carried out in the context of the overall budgetary planning approach of the company during a meeting with the general management, the financial management and business managements, in which the IT department presents and defends the IT budget.

– The IT department has implemented a control management function to help it to assume all of its responsibilities in economic matters.


2) Recurring IT services – Each IT services registered in the catalogue is the subject of a

calculation of its unit cost. This calculation is sufficiently precise to be used in an internal billing and in a valuation of the cost of the services as requested by the clients in the service contracts agreements.

3) IT applications evolution – An IT applications evolution budget estimate is defined for

each application in the context of the budget process of the company.

– The IT department is able to ensure the correct allocation of this budget and to provide its consumption in a regular manner.

4) IT component of business projects – The IT department is able to ensure the monitoring of the

project in terms of observed costs, quality and deadlines.

Level 4

1) Global budget preparation and monitoring – The IS budget gives a consolidated vision (IT department and

business units) of all the costs of the IS function, whether they are placed under the hierarchical responsibility of the IT department.

– A distinction between the expenses related to the recurring services, those related to the IT applications evolution, and those related to the IT components of the business projects are carried out at the level of this consolidated IT budget.

– The budget is presented both in the form of income statement (P&L) and of financing table (cash-out).

– The budget is presented jointly by the business units and the IT department to the Executive Committee for validation and arbitration.


– This consolidated IT budget is followed both in time, compared to an initial budget developed at the beginning of the year and as a ratio compared to certain items of the company’s income statement (for example operating expenses, turnover and value added).

– Monitoring is done in accounting terms and in terms of expenditures commitment.

– The IT department regularly communicates these findings to the Executive Committee and to the SDCITIS.

2) Recurring IT services – The IT department is able to monitor and to explain the

evolution of the budget over time and compared with the unit cost of each of the IT services listed in the catalogue.

– The calculation of these costs reflects the level of service delivered, the volume associated with the service, and the performance of the activities that contribute to the production of the service.

– It is consistent with the AFAI-CIGREF benchmarking model for IT costs, which relies on an activity-based costing/management (ABC/ABM) approach.

– These evolutions and these variances reflect the intrinsic performance of the IT department relatively to the recurring operation. They are monitored by the executive management Executive Committee and/or by the SDCITIS in the context of the budgetary process of the company and/or of internal benchmarking operations.

– As soon as the previous elements are under control, the rebilling of the recurring services is used as a lever to empower the business units in an effort to reduce recurring costs.

3) IT applications evolution – The consumed budget as well as the deliverables are

monitored by the SDCITIS in terms of profits being made, of meeting deadlines, of quality of the deliveries but also of backlog.


– Corrective actions are decided by the SDCITIS on the basis of any potential variances observed. They concern both the IT department and the business units.

4) IT component of business projects – The IT department is able to update the forecasted costs and

delays of the projects on the basis of the observations and of a relevant overview of the rest to be done in terms of functionalities to deliver. By doing so it is also able to update the financial part of the business cases.

– It informs the SDCITIS that takes the corrective measures that apply both vis-à-vis the IT department and the business units.

– In case of any budget restrictions imposed by the corporation, the possible impacts on the projects are decided by the SDCITIS, and not only by the IT department. It is the SDCITIS that communicates with the business units on these potential reassessments, or even on abandonments or projects reports.

Level 5

1) Global budget preparation and monitoring – In the case of any observed divergence in the overall budget,

reassessment actions are taken by the SDCITIS. They take into account the nature of the variances, according to whether they relate to the projects, the IT applications evolution, or the recurring services.

– The SDCITIS informs for action the IT department and the business units.

2) Recurring IT services – The unit costs of the IT services delivered are used for the

purposes of external benchmarking. – The observed variances generate action plans resulting in

tangible improvements.


3) IT applications evolution – The SDCITIS capitalizes the feedback on the company’s

ability to comply with the budgets allocated to the IT applications evolution. If necessary, it launches action plans of a structuring nature for the company such as: projects to revamp the IS that makes an excessive consumption of maintenance resources, third-party applicative maintenance, etc.

4) IT components of business projects approved according to the mechanisms outlined in the “project portfolio management” vector

– Achievements reviews at project completion (when its operation becomes stabilized) are used by the SDCITIS to verify that the ROI expected in the business case is achieved. A special focus is made on business value creation, the objective being to capitalize on practical experience and thus launch a continuous improvement process.

5.6. Vector 6: project management with respect to business objectives


As mentioned in vector 3, delivery management becomes predominant compared to the other management drivers (budget, functionalities) because of the shorter cycles of the digital world. It makes sure that IT applications be designed in the form of functional modules whose compliance to requirements can be independently verified by business units. These modules must also be calibrated to be developed within a time compatible with the frequency chosen for deliveries and the available resources. For some Web giants, such as Facebook and Amazon, the production pace of small developments can even be daily.



Any company’s ambition that requires an investment is materialized by a project. When these ambitions require that IT or technological resources be mobilized, the IT department becomes an active part of the project in the same way as business units.

The success of such projects thus requires a common management between the IT department and the business units that are responsible for supervising the work. That is why business units and the IT department must designate project leaders with an overall responsibility of the business project.

They are in charge of controlling the project according to all its components (IS, organization, skills, change management, etc.) and of managing its budget in order to obtain in the end the business profits expected in the business case. They have the means to plan the project and to monitor its progress. To achieve these objectives, they use a project management methodology that is shared by all stakeholders in the project.

For the IT component of the project, they specify the contribution expected from the solution in functional and technical terms (availability, response time, security, etc.). During the implementation of the project, they ensure compliance with the planning, with the budget and with the conformity of the expected deliverables. Following the implementation, they approve the solution (verification of the compliance with the specifications) at both the functional and technical levels, based on multidisciplinary skills (organizers, technicians, functional experts, user’s representatives, etc.).

Finally, they provide the operational implementation: they drive the transition process toward the target business and ensure the integration of the processes, of the skills and of the IT solutions. As such, they control the end users’ training as well as the communication with the personnel, the social partners, or even the clients and the suppliers impacted.


The project management of the IT component of the project is entrusted to an IT project manager who has the responsibility of leading the design and implementation phases in accordance with the requirements of the business case and of coordinating the various stakeholders (internal or external). The best practices in terms of IS implementation are addressed in vector 7.

By involving both business units and IT department throughout the lifecycle of projects, Figure 5.5 illustrates the fact that a business project with a significant IT component is a coproduction between the business units and the IT department, with a variable involvement of the stakeholders based on the phases of the project.

Figure 5.5.

It is also important that each phase be initiated by a formal “GO” in the context of the decision-making process in place in the company that officially clarifies the role of the committees (SDCITIS, business board committees, business units, steering committees, project


committees, etc.) associated with the different milestones of the project.

Figure 5.5 also shows that there is no IT project as such (apart from some purely technical projects), but that the IT component is just one of the components of the business project. The business project is mapped with a business process and is responsible for achieving its business goals.


The management of a project, whose launching has been decided by the SDCITIS (see Vector 3), relies on a set of best practices adapted to each phase of its life cycle:

Project launching:

– The commitment of the project relies on strategic and operational validations that ensure that the added value of the IT solutions be maximized on the one hand and to ensure the sustainability and the consistency of the retained solutions on the other hand. This is achieved by means of:

- a project governance model (business sponsor and other stakeholders, roles and responsibilities, committees, monitoring, reviewing and assessment processes, methodological framework);

- the identification and the allocation of the necessary resources (budget, internal teams, external expertise, etc.).

Project progress:

– For the IT component:

- a document such as a Project Management Plan (PMP) formalizes a contractual agreement responding to the requirements of the business case;


- measurement of the costs, delays and functionalities indicators compared to the elements established in the PMP and updating of the forecasts as a consequence;

- deliverables control and compliance with the milestones;

- quality review and independent audit;

- reporting to decision-making bodies;

- updating of the business case in the event of deviation or context change;

- project redefinition if necessary.

– For the organization and skills components:

- definition of the organization principles processes and new working methods;

- changes in the content of job descriptions and work positions;

- definition of the changes of organization and identification of the social consequences (e.g. training needs);

- development of the training and recruitment plan.

Operational implementation:

– Putting the IS solution into operation (implementation of the configurations, data conversion and recovery, service start).

– Transition toward the target organization and integration of the processes, people and IS solution (implementation of the training and recruitment plans, communication with the personnel and the social partners, etc.).

Post project:

– Overview compared to the Project Management plan (PMP) at the end of the IT component of the project (first overview).

– Overview compared to the initial objectives of the business case, once the operational implementation is complete and effective (prolonged overview).


Level 1 – Companies have realized that IT projects are just one of the

components of business projects, the latter integrating other components (organization and skills).

– The project is embodied by the business sponsor and the IT project leader.

– The project is driven by IT through costs and time indicators, without the rest being systematically evaluated.

– The IT project leader raises awareness in business boards affected by the possible reorganization and training needs.

Level 2

– The major projects of the company are driven by business project managers that coordinate the implementation of the project in all its components (IS, organization and skills). They are mainly operational managers who exercise this function in addition to their usual responsibilities. For these major projects:

- steering committees involving the concerned business executives trades are formed;

- cost elements are estimated by the IT department in collaboration with the business project manager and then validated by the steering committee;

- the steering committee is informed of the progress of the project and makes decisions based solely on costs and schedules.

– There is a project management methodology for the IT component, but it is neither systematic nor common to all projects. Its implementation depends on the maturity of each project leader.

– To avoid any “tunnel effect”, projects can be broken down into functional lots “on a human scale” that can be tested easily by business units.


– Both organizational components and those relating to the management of the business skills affected by the project are under the responsibility of the business project leader. However he does not necessarily have the availability nor the skills necessary to manage these tasks. The use of external expertise is “massive”.

Level 3

– For the major projects of the company, “business” collaborators are assigned full-time to the function of business project leaders. They receive the necessary training to have the skills adapted to the challenges of the project.

– Steering committees have the necessary key elements required to monitor the progress of projects (to do’s and rescheduling, in addition to costs and schedules monitoring) and make the necessary redefining decisions.

– The project management methodology is applied evenly to major projects: typical deliverables, PMP, project dashboard, etc.

– Functional lots have short implementation deadlines and are tested progressively by business units.

– The skills and the availability of the business project manager enable him/her to properly manage the business and skills components.

– The completion of the project IT components is formalized when the production of the IT solution begins.

– Business cases are formalized for major projects. The IT department and business units contribute to its development. Business cases are used to measure the financial viability of the project. However, achieving the profits listed in business cases is not controlled.

Level 4

– The criteria of Level 3 are generalized to all projects. – Functional lots are sufficiently independent of each other to be


able to be operationally implemented gradually along their testing by business units.

– The resources of the projects are kept in “no-take reserves” to guarantee their availability.

– In addition to the steering committees, the SDCITIS (Steering and Decision Committee concerning Information Technology and Information Systems) is informed of the progress of the major projects and is involved in redefining decisions.

– In the event of significant deviation or significant change of context, the business case is updated and represented to the body that has validated the launch of the project.

– When the transformations originating from the business project have been integrated in the daily operation, an economic assessment is performed with respect to the objectives of the business case.

Level 5

– Quality reviews are commissioned by the business project leader.

– For major projects, independent audits are conducted. – At the end of the project IT component of the project, an

assessment is performed and compared to the PMP (is the project successful in terms of budget, schedules, or functionalities? To what extent and why? What were the problems encountered and what lessons can be drawn for the future? What were the best practices experienced and how can they be reused in other projects?

– The project leader is personally involved in the repositioning of the members of his team, to help them find a new job corresponding to their skills and their ambitions, but also to help the company to take profit of their experience acquired during the project.


5.7. Vector 7: provision of IT services optimized with respect to clients’ expectations

In this vector, we will only discuss the client aspects of IT services, which represent the “tip of the iceberg”. We will therefore hide IT production processes, such as computer-based operations, office automation, networks and infrastructures management, etc., which, while being essential to the provision of services, are beyond the scope of this book.


The digital company is characterized by the fact that new technologies provide a means to be connected at all times with its clients, suppliers, and partners, even objects in all places and for all purposes. This development was already noticeable in the first Internet wave. What is new with digital transformation is the rapid expansion of the of the concept that can quickly challenge information systems and their role as IT service providers. As a matter of fact, the level of service requirements changes, especially as response time becomes key. In addition, Web applications must be available 24 hours a day, 7 days a week and new functionalities have to be released into production on an ongoing mode.


The delivery of optimized services is first based on the good understanding of issues and expectations of the “IS clients”. Based on this understanding, which is the basis for our Enterprise IS Governance approach, the IT department must issue a set of services corresponding to these expectations, whether through internal or external resources. For this, it will have to offer:

1) an efficient management of the levels of service provided by the IT department;

2) a proper support and assistance to IS clients;


3) a preventive and effective release into production;

4) a professional implementation of the IT component of projects;

5) an assessment of the benefits of outsourcing or not certain activities contributing to the delivery of services coupled with an efficient control of outsourced activities.

1) Efficient management of the levels of service in the context of SLAs

Its purpose is to maintain and improve the IS quality of service, while aiming at a better relationship with its clients:

– through the construction and the regular updating of a service catalog that integrates all services provided that IT offers to business units;

– through negotiation and signing service agreements, including indicators for assessing compliance with targets and to change them if needed;

– through a three-level management system of IT services:

- at the operational level, through Service Desk (see the next point);

- at the IS management level of each business, through the “account manager” of the IT department with the business (see Vector 4);

- at the executive level, through the SDCITIS (Steering and Decision Committee concerning Information Technology and Information Systems) management body.

2) Proper support and assistance to IS clients

– Customer support (or Service Desk as it is called in the ITIL framework) is absolutely crucial to the management of the level of quality of all the services that are provided by the IT department to its internal “clients” and to all users of the IS. In order to ensure its effectiveness, a Service Desk should be put in place, which is the single point of contact between the IT department and its “clients” or users for recurring services; this service, usually articulated around a call center, includes incidents and requests management as well as


communication with “clients” and users; it operates as an interface with the operational entities of the IT department, which are in charge of services production; it is also intended to assist end-users in using IT applications under a number of defined conditions.

– Service Desk challenges are multiple:

- as a genuine showcase of IT department, it represents as well as its managers with regard to the users of the systems and IT applications. It also shows willingness to combine a genuine client service with the technology made available to users;

- it is a communication node between users and all internal services and external partners involved in the development and in the maintenance of the IS. It also offers the opportunity to replace a negative communication logic (incident response) by embracing a positive and proactive one where users can communicate with the help desk about their requirements, their wishes, their satisfaction concerning the provided services. They also expect to find in the help desk an effective platform to every service of the IT department;

- as an efficiency vector of the IS, the Service Desk delivers relevant indicators on the difficulties encountered by users, and thus gives the opportunity to improve, to maintain and even to intelligently guide the solution choices and not only under the pressure of a few isolated cases. It is also an action force to quickly correct defects or disseminate usage rules;

- acting as a key link of the quality process of the IS, the Service Desk embodies some sort of improvement loop of the IT processes by quickly passing the actions to be taken to other actors in the IT department;

- finally, the support service is the centerpiece of a good relationship with clients, oriented toward service and professionalism. By making events factual and by ensuring that users’ requests, their processing and their follow-up be quicky taken into account, the support service helps the client to better understand the whole set of services of an IT department and the whole company. Within the same logic, it will also make it possible to clearly and simply present the service commitments taken with clients and business units.


3) Preventive and effective IT applications’ release into production

– All releases into production (including maintenance and emergency corrections) concerning the infrastructure and the IT applications must be managed and controlled in a formal manner. They must be evaluated and authorized prior to their implementation, for example through a qualification process, then compared against the expected results. This minimizes risks of negative consequences for the stability and the integrity of the production environment; it also promotes a faster solution of production problems and facilitates greater availability.

– Effective and preventive release into production management involves the following steps:

- apply only authorized and planned releases into production to the infrastructure and to IT applications;

- evaluate the impacts of forthcoming releases into production to be achieved;

- verify the completeness of the operational documentation accompanying production start (qualification);

- monitor the achieved releases into production and report them.

4) A professional implementation of the IT component of the projects3

– To ensure the proper implementation of the IT component of “business” projects in accordance with the objectives of the “business case”, it is essential to control IT application development not only in terms of costs and schedules but above all in terms of quality of functionalities delivered – To do so, whether the development be carried out internally or be outsourced, the IT department should implement and enforce methods and tools that enable to have a precise understanding of the progress of the project against milestones and of the “to do’s”, but also enable to infer regular revaluations therefrom allowing for possible corrective decisions.

3 This component addresses only the implementation of projects in the development sense, management aspects are addressed in Vector 6.


– Most best practices making it possible to control the various IT development aspects are described in the CMMi framework (whose Level 3 corresponds to a maturity Level 5 for companies that are not specialized in IT).

– The implementation of these best practices often involves the evaluation of expected “function points”, achieved against the milestones and remaining to be done. Some tools based on this “function points” approach allow to monitor the quality of the developed code and to anticipate the maintainability (as well as the associated costs) of the future IT application.

– We should also stress the importance of interactions with users throughout the development process to correctly prioritize problems fixes according to the most significant issues. This goes even further with agile methods that are based on continuous interactions with end-users during development.

– IT application development control is therefore essential not only to meet the objectives of value creation as defined in the “business case” of the projects, but also to contribute to the reduction of “recurring” costs of the IT applications in production. As a result, it is an essential element of IS governance.

5) An assessment of the benefits of outsourcing or not certain activities contributing to the delivery of services coupled with an efficient control of outsourced activities

– Outsourcing requires first and foremost the identification of the relevant scopes: what should be preserved? What should be outsourced? A rigorous analysis of profits and risks may be conducted to weigh the pros and cons, on a horizon consistent with the desired lifetime of the solution. This is all the more as outsourcing entails investments both on the client side and the supplier side.

– Outsourcing must not be improvised and requires that key skills be retained in the company, especially to manage the integration of the contracted service in the value chain of the company. Furthermore, the inevitable legal nature of the relationship with the providers assumes


that skills be developed, often new, in defining its requirements and the management of outsourced contracts.

– The outsourcing operation always incurs the risk, for the company that makes use of it, to lose the skills associated. Rarely detrimental when outsourced processes are properly operated, outsourcing may become critical if the company aims to reintegrate its outsourced operations. Not only the company will have lost the skills originally acquired, but it’s knowledge of the outsourced business may be outdated, as it may have certainly progressed and developed during the subcontracting period.

– It is important to adopt a partnership approach of the outsourcing contract rather than a client/provider one. This partnership approach can only be based on a principle of loyalty or of good shared management. Partnership management can only have a good operational performance if client and provider have a synchronized logistic control of their activities. On the basis of this definition, it is then necessary that providers and clients share their information in order to coordinate their activities in an optimal manner.

Vector 7 concerning both the delivery of recurring services and IT application development within the context of projects, the main framework for correct practices will be:

– the ITIL framework for providing recurring services (support and delivery);

– the CMMi framework for IT application development.

The CMMi covers the development, integration, evaluation, procurement and HR phases related to the project, prior to production and support phases covered by the ITIL.

Figure 5.7 shows that these two frameworks are largely complementary and widely address the scope of Vector 7 dedicated to service provision.


Figure 5.6. The ITIL covers production and support phases for recurring services

Figure 5.7.

5.7.3. Best practices associated with the vector and measurement of the company’s level of maturity in the vector

Level 1 1) Management of service levels – Companies have become aware of the need to manage IT

service levels but this is reflected in initiatives that depend on circumstances.


– Operational and final responsibilities for defining and managing IT services are not assigned.

– Where performance measures do exist, they are qualitative only. – Service levels related reports are infrequent, informal, and lack

of methodology. 2) Support and assistance to IS clients – The IT department acknowledges that a process relying on tools

and staff is necessary to meet users’ requests and to manage the solution of incidents.

– However, there is no standardized processes and the management does not organize any monitoring of users’ requests, of incidents or trends.

– There is no escalation process defined to deal with problems. 3) Preventive and effective release into production – The IT department acknowledges that changes should be

managed and controlled, but: - documentation about changes is poor or non-existing and that of

configurations is incomplete and unreliable; - basic configuration management tasks such as maintaining a

hardware and software inventory are carried out by individually-based initiatives. There are no standardized practices;

- it is likely that unauthorized changes may occur; - errors as well as interruptions occur in the production

environment due to the non-rigorous management of changes. 4) Professional implementation of the IT component of projects – The IT department has become aware that the IT component of

projects (development, maintenance and integration of internal or external IT solutions) must comply with a recognized methodology and rules of practice.

– From one project to another, different rules or methodologies are applied.

– This leads, in some cases, to inefficiency in the acquisition process as well as in the maintenance of the implemented solutions.


Level 2 1) Management of service levels – The IT department has established a list of the activities

contributing to the delivery of services provided to users. However, there is no catalogue of services.

– Reportings on levels of services are incomplete. They depend on the skills and the individual initiatives of those in charge of the reporting.

– The company has designated a service level coordinator and has assigned him well defined responsibilities but insufficient authority.

2) Support and assistance to IS clients – A kind of “informal” assistance exists thanks to a network of

individuals who have a good level of knowledge. – These people have some tools to support incident solving that

are common to them. – There is no formal training or communication on standard

procedures. 3) Preventive and effective release into production – Configuration documentation is not precise and before a

change there is merely limited planning and evaluation. – Configuration management tools are used but they differ

according to platforms and no standard practice has been defined. 4) Professional implementation of the IT component of projects – A methodology governing the IT component of projects

(development, maintenance and integration) is chosen but its implementation varies from one project to another.

– The procurement process and the maintenance of the implemented solutions are efficient. But in some cases there are still failures.


Level 3 1) Management of service levels – The service catalog and expected service levels are defined

and formalized through service agreements. – There are controls programmed to assess service levels and

clients’ satisfaction. – Shortcomings in service levels are identified but procedures to

address them are informal. – The connection between service levels and the corresponding

funding is established. – Service contracts agreements are an important component of

service billing by putting forward, not the “energy” necessary to produce the service, but the added value brought to business units.

2) Support and assistance to IS clients – The Service Desk is implemented and structured into adequate

units to address the different escalation levels (Level 1: call response and solving of common incidents, Level 2: processing by non-dedicated analysis teams, Level 3 and higher: processing by experts).

– It processes both technical and functional requests, thus improving the speed in solving incidents.

– Requests reception and incident management procedures are formalized and trainings take place within the IT department.

– Users have received precise information on what they should do in the event of requests or of incidents.

– Raised questions and incidents are recorded and individually tracked but this activity does not result in formal reports.

– Raised questions and incidents having received a timely response are not identified.

3) Preventive and effective release into production – There is a defined and formal change management process that

is gradually observed.


– The analysis of the impact of IT changes on business activities begins to be formalized.

– Configuration management tools common to the various platforms are implemented. Automation systems are used to track down changes in hardware and software.

– Physical evaluations of actual configurations are not yet systematic.

4) Professional implementation of the IT component of projects – The methodology chosen to govern the IT component in

projects (development, maintenance and integration) is formalized and applied to all projects.

– The progression of the projects is monitored (costs, deadlines and functionalities made available).

5) Efficient management of outsourced activities – The IT department has evaluated the opportunity and the risks

of outsourcing or not each of the activities contributing to the provision of the services identified in the catalogue.

– Regarding the activities to be outsourced, expectations towards service providers have been clearly defined in a specifications document and a plan describing transfer operations is established.

– In the contract, there are criteria making it possible to measure the quality of the service provided. Management reviews are made regularly with the provider. They are the subject of systematic reports and are accompanied by action plans to address any potential deviation observed.

Level 4

1) Service levels management – The IT department and its clients have a clear and coherent

perspective of the required service, as well as of the share of roles and responsibilities. This, as a result, avoids potential misunderstandings or omissions.


– The criteria used to define the service levels are based on what is critical for the business and involve availability, reliability, performance, capacity for growth, users support, business continuity planning and security considerations.

– The company has defined the financial and operational risks related to services that do not reach the agreed level.

– Service levels requirements are increasingly defined upstream and integrated into environments and IT applications design.

– Client satisfaction is measured and evaluated on a regular basis.

– Measurements are made to assess that service levels formalized in service agreements are achieved or not.

– Service reporting lists the clients’ and users’ actions that can cause defects and thus allow the identification of either sources for improving efficiency or training needs.

– Corrective actions are initiated if necessary to comply with the terms of the service agreements.

2) Support and assistance to IS clients – Service support staff receives training providing a means to

become professional and thus develop best practices. – The key role of support for reconciling “client” orientation in

IT services and a necessarily “technical” orientation of IS development is recognized and reflected in its position within the IT department.

– The tools and techniques are automated and there is a centralized knowledge database.

– The Service Desk team has a close relationship with the one that is responsible for solving the problems.

– Service Desk effectiveness is monitored. – Communication, escalation and incident troubleshooting

procedures are in place and are known to the IT department and to business units.


3) Preventive and effective release into production – All changes are submitted to an impact evaluation, to a

comprehensive planning and for approval so as to minimize the probability of problems after production is initiated.

– Release into production management is increasingly integrated with the evolution of business processes such that to ensure that issues related to training, organizational changes and business continuity are taken into account.

– Configuration management systems make use of push technologies to impose standards and cover the largest part of IT assets. They allow the proper management of versions and of the control of hardware and software distribution.

– Physical evaluations are systematic. 4) Professional implementation of the IT component of projects – Project monitoring systematically includes a forecast

component (cost, time, developed functionalities) based on the evaluation of the “things to do”.

– The IT department supplies the Executive Committee (or the SDCITIS) with structured and relevant information concerning the progress of the IT component of the project (development, maintenance and integration).

– This reporting can highlight the level of functionality made available (for example, on the basis of an assessment of the function points) for each established milestone, as well as costs being associated.

5) Efficient management of outsourced activities – Regarding outsourced activities, reversibility modalities in

case of changing providers or re-insourcing have been defined and are regularly tested.


Level 5 1) Service levels management – Service levels are continuously revalued to ensure the

alignment of IT and business goals. – All activities related to the service level management process

are subject to continuous improvement. – IT department executives have the resources and the margin of

initiatives necessary to achieve the objectives of the service levels. The management receives “bonuses” when these objectives are met.

2) Support and assistance to IS clients – Service Desk is an organization that encompasses all the

information system; 100% of the users’ requests use this helpdesk service that solves about 85% of current cases by providing professional advice and structured escalation processes. The incidents and requests knowledge database consists of rich and comprehensive Frequently Asked Questions (FAQs).

– Service Desk represents true client service of IT department: Its operational rules are based on the service levels expected by clients and their compliance. Its staff has a good knowledge of the business units to identify the urgency of situations and exercises a rigorous monitoring of priorities and of incidents. In particular, the state of mind is geared toward assisting the client with special attention to its needs and the staff has the knowledge and the will to help.

– Users have tools that allow them to perform self-diagnostics and solve themselves some of the incidents.

– The client helpdesk function is subjected to measurements regarding its performance, permanent improvements and benchmarking with other companies.

3) Preventive and effective release into production – The change management process is regularly reviewed and

updated to remain at the level of the best practices. – IT changes management is integrated into business changes

management.


– All IT assets are managed within a centralized configuration management system that contains all the necessary information on the components, their interrelationships and their development history.

– The configuration information is computerized and allows the control of the different versions.

4) Professional implementation of the IT component of projects – The IT department applies the rules of best practices about

conducting the business IT component of the projects. – It ensures rapid deployment of the expected functionality, thus

responding to the reactivity and flexibility requirements resulting from business development.

– It applies a process of continuous improvement of these practices by capitalizing on structured practical feedback.

5.8. Vector 8: prospective management of IT skills


Even if IT has to be driven by business issues, the technological aspects have an increasingly strategic dimension within the digital transformation. As a result, new skills emerge (chief data officer, data scientist, data steward, etc.) or should be strengthened (web developer, security expert, integration expert, etc.). It is important to have them under control because they require a level of expertise highly sought after on the market which is sometimes difficult to find, even as they, at the same time, become indispensable.


Skills management aims to give value to know-how, recruit and retain the best talents and build professional paths favorable to collective knowledge capitalization and to the valuation of individual skills.


In order to transform it into a tool at the service of the company’s strategy, IT skills management must be prospective, built upon sustainability and must involve a reflection regarding collective skills (macros skills) with the aim of guiding management of the human resources.

Prospective skills management includes the design, the implementation and the monitoring of policies and of consistent action plans. These plans are aimed at reducing at an early stage the differences between skills requirements and existing human resources.

Thus defined, it becomes a fundamental “building block” of IS governance, insofar as it provides:

– the optimization of the human resources available with respect to the individual and to the collective skills required to address the needs of present and upcoming IT projects;

– skills and technologies alignment corresponding to the strategic choices of the enterprise;

– ”upstream” reflection on the skills that may (or must) be outsourced, but also on those that companies must absolutely internally preserve (or create) at the risk of losing control of their IS, which would be the opposite of good IS governance.

It thus particularly enables: – a high level of employability to be maintained (skills alignment

with regard to the requirements) in order to maximize the use of the available human resources;

– the reduction of the turnover achieved; – anticipating as much as possible the impacts on the internal staff

of any outsourcing decisions, in order to find optimal solutions both for the staff and for the company;

– reducing dependence on external consulting companies, which can in some cases cause a loss of control of the IS by the company;


– meeting the IT department clients’ expectations and thus improving their level of satisfaction.

Figure 5.8 shows the type of reflection to be made to derive the planning of the IT skills:

– strategic objectives of the company;

– as well as foreseeable developments in technologies and practices.

This reflection involves both:

– an analysis of the desired level of proficiency for each macro-competence (or collective competence) of the IT department;

– an analysis of the degree of maturity of the macro-skills on the market, which will allow the development of an in/outsourcing policy.

The results of this reflection will be inserted in the medium-term business plan so that the corresponding action plans are scheduled with the necessary resources for their implementation.

Figure 5.8.



Level 1 – The IT department has implemented, with the HR function of the

company, a staff management enabling it to analyze, per service and/or skills center:

- the ages pyramid in the short, medium and long term; - the number of years of experience; - the turnover %; - the average training budget per person; - the evolution of the differences between salaries in the IT

department and those of the market. – The IT department has put in place a certain number of action

plans (recruitment, mobility, training, etc.) to adapt the individual skills at its disposal:

- on the basis of the analysis originating from the HR management;

- based on its knowledge of the supposed business requirements.

Level 2

– Post worksheets specifying the missions of the IT department staff have been created.

– The organization chart as well as the roles and the missions of the IT department staff are known not only to the IT department but also to business units.

– A skills assessment approach has been implemented within the IT department with IT department-specific tools.

– The findings and action plans resulting from these evaluations are shared by the IT department management committee.

– They lead to a number of individual or collective action plans (recruitment, mobility, partnerships, outsourcing, training, etc.).


Level 3 – The IT department has established a mapping of the available

collective skills (or “macro-skills”), both at the quantitative and the qualitative levels.

– Based on the master plan, or on its draft (see Level 2 of Vector 2), the IT department has defined a target in the medium term for the “macro-skills” both technical and IT applications development related.

– It has conducted an analysis of the deviations between the current situation and the target.

– It has performed an analysis of its “macro-skills” compared to the market offer.

– From these external and internal analyses, the IT department has developed a medium-term development plan of the “macro-skills”, which drives the company’s planning process.

– Along with the HR department of the enterprise, it has therefrom concluded a number of individual and collective action plans (recruitment, mobility, partnerships, outsourcing, training, etc.).

Level 4

– With the business units, the IT department has conducted an assessment of the importance of the contribution of the projects to the company’s strategy and thereof derived a desirable level of mastery in “macro-skills”.

– Under the impulse and the drive of the SDCITIS, an analysis of the deviations between the current situation and the desirable level of proficiency has been jointly conducted between the IT department and the business units.

– For each “IT macro-skill”, the IT department has also carried out a maturity analysis relative to the offer of the market (emerging, mature, declining, etc.).


– The crossing between the desirable level of mastery, the deviations from the current situation and the maturity of the market has made it possible to determine for each “macro skill”:

- an in/outsourcing policy validated by the Executive Committee;

- HR recruitment actions plans, mobility, partnerships, training, etc.

– The result of this crossed prospective analysis performed jointly by the IT department and the business units is introduced into the enterprise medium-term plan.

– The IT department has implemented knowledge management in order to capitalize on the best practices within each “macro skill”.

– Prospective skills management is permanently inserted into the company’s culture and can be based on indicators and specific rules on the topic.

Level 5

– The IT department has at its disposal a current and target mapping of the collective skills (or “macro skills”) developed not only from:

- the IS requirements of future “business” projects arising from strategic planning (see Vector no. 1);

- the essential developments of the IS resulting from diagnostics, conducted in the context of the ISMP (see Vector no. 2), concerning the situation of the IS in terms of flexibility, of risk of obsolescence, of maintenance costs, of data or IT applications redundancy;

– but also from the monitoring process in place in order to identify, as soon as possible, the technologies likely to provide the company with a competitive differentiation or a better response to business requirements.


– This target mapping, reviewed every year as part of the medium-term planning cycle, reveals, for each “macro skill”, the desirable level of proficiency in view of its significance with regard to the projects and to their contribution to the company’s strategy.

– The medium-term plan of the HR department takes into account the results of the strategic analysis of the “macro skills” to assist the IT department in implementing them as “upstream” as possible.

– A policy for continuous training is implemented so as to optimize the development of individual and collective skills based on the potential for development of the company’s employees.

– When the company’s competitiveness depends significantly on IT, the strategic reflection of the company takes into account the medium-term development plan of the “macro IT skills”.

– Similarly to other medium-term action plans of the company, the action plans and the associated resources originating from the strategic analysis of the “macro-skills within the IT department” are annually reviewed and are subject to regular monitoring during the year by the Executive Committee and/or the SDCITIS.

5.9. Vector 9: IS-related risk management adapted to business challenges


In order to cope with fast-paced changes in digital technology, companies must act quickly. Furthermore, innovation combined with the pace of change presents risks that the company should therefore assume. As examples, we can mention cloud-related risks and more generally those related to outsourced solutions. Additionally, we can also consider the security risks resulting from a wider opening of the IS, exposing it to threats such as data theft or sabotage.

Good IS governance constitutes an effective tool to apprehend risks and to control them through dedicated processes, while adapting the response level to the business challenges of the various risks.

10

5.G

crre

cl

inoforsigpr

paco

toofin

02 Digital Tran

.9.2. IssuesGovernance

The risks redit risks, stelated risks, e

According assified into

1) Risks asntegrity, non-f the operatior services pgnificant croductivity, a

2) Risks reartial) in mompany throu

3) Risks reo improve thef not makinnitiatives.

F

nsformation

s of the ve

that compantrategic risksetc.

to the RISthree major

ssociated wit-compliance onal conditioprovided by onsequences

and competit

lated to IT pmeeting the

ugh the IT pr

lated to the me efficiency ong use of te

Figure 5.9. (s

vector in te

nies face ems, market risk

SK IT framerisk typolog

th failure ofand privacy

ons of businethe compa

s in finantiveness term

projects, whicvalue creatirojects it has

missed opporor the effectiechnology a

source: ISACA

erms of co

merge from ks, competiti

ework, IS-regies:

f the IS in tey. They resuess processesany. They cncial, imagems, etc.

ch corresponion objectivs initiated.

rtunities of niveness of buas a catalyst

A: RIK IT Fram

ontribution

numerous sion-related ri

elated risks

erms of avaiult in a deters and/or of pcan therefore and rep

nd to failure ves pursued

not using techusiness procet for new b

mework)

n to IS

sources: isks, IS-

can be

ilability, rioration products re have putation,

(total or by the

hnology esses, or business


Besides enabling decision making and integrating a good knowledge of the risks involved and of the tolerance level of the company, formalized through service agreements, proper management of IS-related risks makes employees understand how to react to risk and prepare thereto.

To do this, a policy and a general organization related to the safety of the IS must be implemented and integrated into the business risk management policy, as shown in Figure 5.10 taken from risk IT.

Figure 5.10.


Level 1 1) Risks related to IS failure – Companies have followed an approach enabling them to make

an inventory of the information assets, assign them an owner, categorize them, determine their level of protection and establish the security measures to be implemented according to their context of use.

– There are backup solutions in case of failure of critical assets. 2) Risks related to IT projects – The risk of costs and schedule overruns are evaluated for all IT

projects


Level 2 1) Risks related to IS failure – The IT applications are mapped with “business” processes in

order to be able to assess the contribution of the applications to the operation of the “business” processes and therefore their criticality.

– In addition to this mapping, there is technical mapping of all the IT components (hardware, networks, software, infrastructure, etc.) with the IT applications they belong to.

– There is a plan for securing communications and the information exchanged with partners and clients. It aims to ensure the safety of telecommunications networks, of operating systems and applications.

– There is an outreach program about IT security for the employees so as to protect confidential and nominative information and to best use IT equipment according to standards and rules in force.

– Safety rules to be observed or to be required in the acquisition, development, implementation and maintenance of IT applications and software are defined.

– A process of security incident management is in place. It primarily makes it possible to specify the behaviors that have to be adopted upon incident or safety malfunction detection.

– There is a disaster recovery plan (DRP) in case of failure of the IT services, as well as a backup plan for the data and the company’s IT applications.

– There is a system to report information on the operating risks of the IS destined to Executive Committee.

2) Risks related to IT projects – During implementation, the risks of disruption of the existing

systems are taken into account. – There is a system to report information related to risks on

projects to the Executive Committee.


Level 3 1) Risks related to IT failure – The development of the service agreements integrates a risk

analysis with the business units. – Logical and physical access to information and resources are

managed and controlled; unauthorized activities are detected; rules to be observed concerning identifier and password are specified, as well as the permissions related to the access profile.

– An evaluation of security issues related to “business” processes is carried out jointly by the IT department and the business units. It leads to the valuation of the negative impacts for the company (financial, efficiency, competitiveness, etc.) resulting from IS malfunctions (availability, integrity, confidentiality).

– The IT disaster recovery plan (DRP), and the data backup plan are regularly tested.

– The IT department is responsible for the correct implementation of the embedded controls (consistency controls, data transfers, clearances, processing synchronizations, etc.) in the IT applications with respect to the business challenges.

– The roles and responsibilities of managers, users, contractors, service providers and owners of information assets are specified.

– The points highlighted by the various assessments (internal or external) are followed by action plans (for example audit or internal control)

2) Risks related to IT projects – Non-appropriation risks from future users of IT solutions

under development are evaluated and incorporated into a change management plan.

– Independent audits are conducted to assess the risks associated with IT projects (deviation in terms of costs, schedules and functionalities) and are followed by action plans.


Level 4 1) Risks related to IT failure – There is an action and investment plan approved by the Executive

Committee to secure the critical components identified jointly with business units.

– There is also a business continuity plan (BCP) developed jointly between IT department and business units. This plan includes the DRP but also describes the mitigation activities to be carried out by the business units according to the phases prior to returning to the normal situation. It also contains the procedures for crisis communication.

– IS risk management policy integrates the company’s risk management policy.

– Policies and procedures of the IT department relating to relations with third parties do exist and are in accordance with the general policy of the company.

– The company ensures compliance with laws and regulations, with the effectiveness of the procedures, as well as that of the security measures in place (e.g. protection of personal data, respect for intellectual property, legal archiving period and laws on IT fraud).

2) Risks related to IT projects The risks of not reaching the targeted business objectives with IT

projects are evaluated. – The Executive Committee ensures that the results of the risk

analysis (conducted via internal or external independent audits and/or by the projects teams themselves) are followed by effects through appropriate corrective action plans.

3) Risks related to the missed opportunities of not using technology – The company has implemented a technology watch, allowing the

identification of the opportunities likely to create a competitive advantage through technology.

– The organization of this watch associates business units and the IT department, and even external partners.


Level 5 1) Risks related to IS failure – The Executive Committee ensures the proper implementation

of the security action plans that it has approved. – Experience feedback is capitalized to enable the company to

follow a process for continuous improvement. 2) Risks related to the missed opportunities of not using

technology – To avoid this risk, the company’s budget and planning process

takes into account the opportunities likely to create a competitive advantage through technology.

5.10. Vector 10: management and measurement of IS performance


The specificities of the digital transformation require that the tools to measure the IS performance and that accompany any approach for improving the governance are adapted. Concretely, the performance must take into account the following characteristics:

– Short cycles: in an ecosystem as dynamic as digital technologies, it may be difficult to make accurate forecasts. It is therefore necessary to develop and rapidly deploy following a logic of small steps (“Think big, act small”).

– Constant measurement: in order to ensure consistency between the transformation actions initiated and changes in the sector of activity.

– Controlled risk taking: to move fast, it is often necessary to take risks, otherwise companies may not be able to innovate enough to face their challenges.



The definition of performance is relative. It depends on the context of the company, history and culture. This is a frequent phenomenon during a performance audit: each actor proposes its own definition and its own indicators, which can distort the benchmarking processes since data and values are not always comparable.

One of the main objectives of this book is to precisely provide all actors of the IS (within the IT department or on the “business” side), as well as internal and external auditors with a set of common references on good EISG practices. This should make it possible to evaluate as objectively as possible the level of maturity of the company in terms of IS governance and to deduce priority improvement actions plans, taking into account its context and business challenges.

This initial evaluation, as well as the follow-up of the targeted improvements requires that performance indicators are measured and integrated into a dashboard. In this way, the company can drive its IS and improve communication between the IT department and the rest of the company. As a matter of fact, “What cannot be measured cannot be managed”.

This chapter describes the maturity levels of this dashboard, whose most accomplished form is the IT scorecard4.

The IT scorecard is a transposition at the IS level of the Kaplan and Norton’s balanced scorecard that takes into account:

– IT specificities, mainly in risk-related topics;

– And the necessary alignment of Information Systems with the objectives of the “business processes” in order to maximize their contribution to value creation for the company. 4 Readers familiar with french can find a description of the scorecard transposed to IS management in the AFAI book “Pilotage du SI par l’entreprise- les nouveaux tableaux de bord de l’IT scorecard-guide de reference”. A summary of the IT scorecard approach is presented in Appendix 1.


The IT scorecard, which includes six perspectives that enable therein the classification of all the performance and risk management objectives assigned to the IS, can be represented in Figure 5.11. It somewhat remembers a temple whose roof is represented by value and the foundations by risks, while the pillars represent the direct transposition at the IS level of the Kaplan and Norton’s balanced score card (BSC).

Figure 5.11.


Level 1 – The IT department is aware of the need for collecting and

evaluating information in order to manage its activities, but has not yet implemented any formalized and standardized procedures.

– The metrics are implemented on a case-by-case basis depending on the requirements of the projects (e.g. monitoring the use of time sheets) and/or on the recurring processes (availability of a given IT application, WAN network availability, etc.) most often following incidents that caused inefficiencies in the correct operation of the company.

– A draft of the IT department dashboard is implemented and addressed to the IT management.


Level 2 – The IT department dashboard fully integrates the operational

management of all IT processes that are under the responsibility of the CIO:

- performance of both “projects” and “recurring services” processes;

- economic IT management; - management of skills within the IT department. – Tools and collection procedures are put in place for the main

indicators. – The analysis of the indicators thus collected remains the

responsibility of a few specialists.

Level 3

– The IT department dashboard is complemented with two components:

- identification of the contribution of the IS toward the company’s value creation;

- ”business” risk management associated with the use of the IS.

– Tools and collection procedures are generalized. – All the indicators are regularly monitored, and results are

communicated and explained to the rest of the company. – These results are used to monitor service level agreements

and project contracts. – Improvement actions plans shared by the IT department and

the business units are implemented. – Feeding service level agreements and project contracts on a

regular basis with reliable information also helps in improving the working relationships between the IT department and its clients.


Level 4 – The company has conducted an assessment of its level of

maturity in terms of Enterprise IS Governance. A “radar” including the 11 vectors has been formalized and improvement actions plans have been launched by the Executive Committee and the IT department.

– IT scorecard-based dashboards (see Level 3) are not only used by the IT department for its own management purposes, but also and especially by the Executive Committee to include therein the agreed objectives for improving the company’s governance of its IS. This concerns in particular the following two components:

- identification of the IS contribution toward the company’s value creation needs;


– These dashboards can now be used as a communication tool, demonstrating to the company how the IS (and the IT department) contributes to the value creation and to the “business” risks management while optimizing the resources implemented to meet these objectives.

Level 5

– The level of maturity (“radar”) is regularly reassessed, using the maturity levels defined in Vectors 1–11 of this book.

– The IT scorecard is under regular monitoring by the IT department and the Executive Committee.

– This monitoring results in corrective action plans. – The company uses the IT scorecard and the radar’s maturity to

maintain a continuous improvement process of the Executive Committee.

– The company understands how the IS (and the IT department) contributes to the value creation and to the “business” risk management while optimizing the resources implemented to meet these objectives.


5.11. Vector 11: IS-related communication management


The reactivity inherent to the digital transformation imposes great fluidity in terms of team communication, which is both formal and informal (in particular through social networks at the company’s internal level).

It also assumes a wide sharing of experiences and expertise (knowledge management) as well as a great ability to get all the different actors working together (project mode, collaborative work).


The best practices associated with this vector are designed to properly take into account the concepts of transparency and communication in the IS governance process. In effect, transparency and communication act as binders to this approach; they are the guarantee of a responsible and effective implementation of the selected guidelines. The transparency and communication goals are as follows:

– provide confidence to Executive Committee and to stakeholders;

– collect and disseminate information concerning IS governance-related aspects;

– bring forward the elements upon which decision making is based;

– involve the responsibility of decision-makers by giving them the possibility to act with full knowledge of the facts.

To be effective, communication must be adapted to the different targets to which it is addressed:

– internal within the IS function (CIO, representatives of the business, “account managers”, etc.);

– internal to the clients of the IS function (Executive Committee, business units management, end users);


– external (clients, company’s suppliers and partners, regulating bodies, media in general, etc.).

In order to effectively address these targets, best practices associated with this vector must include:

– the existence and the implementation of communication plans adapted to the different targets;

– the establishment of suitable crisis communication.


Level 1 – Internal communication in the IT department is performed

from time to time on its own initiative. Actors are identified to transmit it and it is primarily achieved informally.

– The internal company’s communication occasionally contains information about the IS strategy, IT projects and the organization of the IT managerial board.

– Outwards communication from the company concerning the IS is limited to brief mentions in regulatory reports.

– Crisis communication is carried out in a reactive or even “defensive” mode. It is neither structured or anticipated.

Level 2

– A communication plan associated with the IS exists and it is internally addressed within the company. It specifies the roles and responsibilities of the actors/bodies in charge of the IS. It contains information on priorities and on the organization of the IS function as well as the main achievements regarding deployments within the company. Apart from the IT department itself, this communication is general, it does not contain any measurable elements about the IS performance.


– This communication is primarily done within and through existing bodies (strategic committee, management committees, steering committees, etc.) on the basis of adapted presentation documents and selected transmission of session minutes.

– IS-related crisis communication is structured by means of an adapted and validated communication plan. It is established and implemented by the IT department. It accompanies the DRP after failure of the IT system.

Level 3

– The main projects and some performance indicators (IT applications availability, service-desk activities, projects ROI, number of deployments on workstations, etc.) are the focus of communications plans adapted and intended for all company employees.

– The communication of the IS strategy is transmitted within the company in a regular and accessible fashion to all employees.

– The IS communication plan is coordinated with the company’s communication plan. In particular, there are specific supports (virtual or physical spaces, tools) dedicated to the IS communication.

– IT department fosters the communication plans that the company intends to implement in case of crisis. They accompany a business continuity plan (BCP).

Level 4

– The IT department dashboard is used as a communication tool between the IT department and the rest of the company, specifically for the components:

- identification of the contribution of the IS toward the company’s value creation;



– The IS is too often represented as a “black box” for the rest of the company. The evaluation of the company’s maturity in terms of Enterprise IS Governance (EISG) (see Level 4 of Vector 10) is used as a communication tool that makes it possible to open this black box, by confronting each business and/or IT department executive with its responsibilities.

– The IS communication plan is fully integrated into the company’s communication plan. It is periodically reviewed and adapted.

– A number of specific media (intranet, newsletter, etc.) can be used to transmit IS communications.

– Crisis communication exercises are practiced.

Level 5

– The effectiveness of the IS communication plan is measured and a permanent review of the plan takes into account the practical feedback, particularly in crisis communication.

– The communication plan is pro-active, which means that there are opportunities (blog, meetings, communities activities, etc.) where the IS function actually gets together with its targets in terms of communication (employees, internal clients, external clients, etc.).

– Cooperative communication tools, such as expertise communities animated on the basis of events or a company’s social network, are implemented. Their nature is to promote innovation and to share experience and expertise.

Bibliography

[ACA 09] ACADEMIE, La Gouvernance d’Entreprise, Une vision globale du management, Académie des Sciences et Techniques Comptables et Financières de l’Ordre des Experts Comptables, Cahier no. 14, 2009.

[AFA 03] AFAI, Maîtrise d’ouvrage de projet de système d’information-Principes, Rôles, Responsabilités, Facteurs de Succès, Report, 2003.

[AFA 04a] AFAI, Rentabilité des projets informatiques–Méthode, Outils, Cas Pratiques, Report, 2004

[AFA 04b] AFAI, Maîtriser les coûts informatiques, Modèle de référence, Report, 2004

[AFA 06] AFAI, La contribution du système d’information à la valeur de l’entreprise – démarche, cas concrets, Report, 2006.

[AFA 09] AFAI, RISK IT, Référentiel de maîtrise des risques d’entreprise lies à l’utilisation du SI – Principes, Processus, guide de management, modèles de maturité/ITGI, Report, 2009.

[AFA 11] AFAI, Pilotage du SI par l’entreprise, les nouveaux tableaux de bord de l’IT scorecard- guide de référence, Report, 2011.

[BAB 14] BABINET G., L’ère numérique, un nouvel âge de l’humanité – Cinq mutations qui vont bouleverser notre vie, Le Passeur, 2014.

[BOU 06] BOUNFOUR A., EPINETTE G., Valeur et Performance des SI – une nouvelle approche du capital immatériel de l’entreprise, Dunod, 2006.

[CIG 04] CIGREF, It Governance: Pilotage de l’informatique pour dirigeants d’entreprise-Modèle de référence, AFAI, 2004.





[CIG 08] CIGREF, Pilotage de la stratégie SI, Quelques bonnes pratiques d’exécution du plan stratégique SI/CIGREF, Report, 2008.

[CIG 09a] CIGREF, L’information, Prochain défi pour les entreprises: Pratiques de création de valeur par les SI et leur usage: cartographie 2009/CIGREF, Cap Gemini Consulting, 2009.

[CIG 09b] CIGREF, Relations DSI‐Métiers, Vers une gouvernance commune du système d’information, Report, 2009.

[CIG 10] CIGREF, Les Fonctions SI et l’Organisation au service des Métiers, Optimiser la création de valeur pour l’entreprise, Report, 2010.

[CLU 06] CLU, Urbanisme des SI et Gouvernance-retours d’expérience et bonnes pratiques, Club Urba-EA, Dunod, 2006

[COB 12] COBIT 5, Référentiel d’entreprise pour la Gouvernance et le Management de son Système d’Informations – principes, bonnes pratiques, outils d’analyse et modèles de maturité/ITGI, AFAI, 2012.

[COL 15] COLIN N., VERDIER H., L’âge de la multitude – Entreprendre et gouverner après la révolution numérique, Armand Colin, 2015.

[DEL 09] DELAYAT R., Le Contrôle interne du système d’information des organisations, CIGREF, 2009

[DUC 06] DUCHESNE C., Le pilotage d’une DSI, AFAI, 2006.

[EPI 05] EPINETTE G., Alignement Des Projets Informatiques – un retour d’expérience, AFAI, 2005.

[ESC 06] eSCM, Référentiel de bonnes pratiques de Sourcing élaborées par l’université de Carnegie Mellon, Pittsburgh, USA, 2006.

[GSI 11] GOUVERNANCE DU SYSTEME D’INFORMATION, Guide d’audit, CIGREF-IFACI-AFAI, 2011.

[HAM 92] HAMMER M., CHAMPY J., Business Process Reengineering: A Manifesto to Business Revolution, Harper Business, New York, 1992.

[IFA 08] IFACI. “Comment fédérer tous les acteurs de la maîtrise des risques des systèmes d’information?”, Colloque des 11 & 12 June, 2008.

[ITI 07] ITIL Version 3, Service Delivery – IT Infrastructure Library, The Stationery Office, Office of Government Commerce, UK, 2007.

[FAY 14] FAYON D., TARTAR M., Transformation digitale, Pearson France, 2014.

Bibliography 139

[KAP 96] KAPLAN R., DAVID N., The Balanced Scorecard: Translating Strategy into Action”, Harvard Business School Press, 1996.

[LEM 14] LEMOINE P., La nouvelle grammaire du succès – La transformation numérique de l’économie française, Rapport au gouvernement, November 2014.

[LER 06] LE ROUX B., PAUMIER J., La Gouvernance de l’évolution du SI-alignement et agilité, Hermes Science-Lavoisier, Paris, 2006.

[POR 80] PORTER M., Competitive Strategy: Techniques for Analyzing Industries and Competitors, Free Press, 1980.

[POR 85] PORTER M., Competitive Advantage: Creating and Sustaining Superior Performance, Free Press, 1985.

[OCT 12] OCTO TECHNOLOGY, Les Géants du Web, Octo, 2012.

[THO 03] THORP J., The Information Paradox – Realizing the Business Benefits of Information Technology, McGraw Hill, 2003.

[TOG 09] TOGAF, Version 9: The Book, available at: www.opengroup.org/togaf, 2009.

[VAL 06] VAL IT 2.0., Création de valeur pour l’entreprise : la gouvernance des systèmes d’information / ITGI, AFAI, 2006.

[WEI 04] WEILL P., ROSS J.W., IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press, USA, 2004.

Appendices

Appendix 1

IT Scorecard

A1.1. AFAI source: Information System management dashboards

Improving IS governance is a process of continuous progress analogous to total quality processes. Improvement targets can be classified into six perspectives of an IT scorecard, which is the transposition at the IS level of the Kaplan and Norton’s balanced scorecard (BSC). At the same time, they take into consideration IS specificities specifically in terms of risks. They also take into account the fact that ISs come through as assisting corporate business processes. As a result, they must be aligned with the objectives of these processes and make a maximal contribution to value creation objectives.

The IT scorecard can therefore be illustrated as in Figure A1.1, in the form of a temple whose roof is represented by value and its foundations by risks, and where pillars represent the direct transposition at the IS level of the Kaplan and Norton’s BSC.

The best practices being, by nature, very varied depending on whether we are considering transformation or recurring operations management projects, the six perspectives of the IT scorecard are divided into two dimensions: transformation and operations.





Figure A1.1. Six IT scorecard perspectives (sources: IGSI)

We find in Figure A1.2 the “detailed” view of the transformation dimension, composed of for each perspective a number of axes for the application of best practices related to transformation projects.

Figure A1.2. (source: [AFA 11])

Appendix 1 121

Similarly, we find in Figure A1.3 the axes for the application of best practices of the operations dimension concerning the functioning of recurring operations.

Figure A1.3. (source: [AFA 11])

NOTE.– It should be noted that good EISG practices, described in this book for each of the “11 vectors”, can usefully be “consolidated” in the context of the IT scorecard, for communication purposes with the Executive Committee. This is because they correspond to “finalities”, while the “11 vectors” correspond to the “means” to achieve those finalities.

In other words, the appreciation of maturity is not a tool operating without a comparison against the results obtained. In fact, as mentioned in the maturity of practices, it relates to the “how”, whereas what really matters in the end is the “what”, meaning the results obtained.

Appendix 2

Economic Steering of IT Department

The economic management of the IS can be defined as an active component of the company’s overall management through the Return On Investment (ROI) measurement of business projects involving the IS, and through the effective management of IT resources.

The economic management of the IS includes not only the optimization of IT expenses, but also the choice of investments by the management of project portfolios and the prospective management of IT resources with regard to their contribution to the corporate strategy. This makes it possible to establish a relationship of trust between the Executive Committee and the IS, insofar as it puts IT costs into perspective with the company’s challenges.

The existing relationship between the IS and the clients of its services within the organization can be qualified as a customer–supplier partnership. In the context of this relationship, economic supervision will help to align the contribution of the IS with the company’s loss and profit account, through a good understanding of the financial and strategic IS challenges for the company.

The IT budget should at least be decomposed into two large parts, or even a third intermediate part represented by “IT application evolution”, because they correspond to completely different management modes:

– “transformation” expenses associated with business projects;





– operating expenses associated with recurring services;

Not to mention, as shown in Figure A2.1, that what is “project” becomes “recurring” and therefore the decisions taken in the context of “projects” will be the ones that will have the greatest impact on the development of the “recurring” budget.

Figure A2.1.

A2.1. Expenses related to “transformation” projects (change)

This concerns the so-called discretionary IT expenditure dedicated to “business projects” and considered as investments. IT resources necessary to the good implementation of “business projects” are evaluated in “business cases”, which will allow the Executive Committee and business units to select the most interesting projects for the development of the company, in the context of the management of portfolio projects.

The selection of the most interesting “business projects” for the future of the company, particularly in the context of the digital transformation, is carried out through the analysis of their “business

Appendix 2 125

case” and the identification of the relationships between projects, within the context of a portfolio management.

The “business cases” analysis will mainly focus on the following four axes:

1) value creation with regard to the strategy of the company’s entities and the benefits targeted in the medium term (Net Present Value (NPV) Pay-Back, etc.);

2) architectural coherence with respect to the orientations of the “IS master plan”: “legacy” applications, technological choices, other projects which are underway or upcoming, etc;

3) resource allocation (“business” staff and IT department, hardware, etc.) and their related costs necessary to the good execution of the project and within the schedules defined in the commitment and delivery plan;

4) necessary conditions to the concretization of expected “business benefits”, reorganization of “business” processes, adaptation of skills, involvement of “business” executives for the duration of the project, etc.

A2.2. Expenditures related to “recurring operations” (Run)

This refers to IT expenditures dedicated to production and support activities for recurring services provided by IT to its clients and products. They mainly designate the expenditures contributing to maintaining the company’s applications as well as IT tools and infrastructures in operating condition, that is to say:

– recurring IS administration activities, whether at the operational or configuration level;

– infrastructure and telecoms expenditures;

– all the equipment bought or made available and all of the activities carried out by IT production projects (excluding software);

– IT department activities, management and support, steering, governance and administration tools;

– IT department organization or transformation projects;


– compatible technical migration projects;

– corrective maintenance.

The performance analysis of these operation expenditures revolves around the “service catalogue” and includes highlighting the unit cost of services. In fact, it is the evolution over the years of these unit costs that will measure the productivity of the expenditures related to the “Run”.

A2.3. Expenditures relating to “IT application evolutions”

They can be classified between transformation expenditures and recurring expenditures and concern enhancements, adaptations or developments in existing applications, decided outside of “business cases”. The decision to launch these “evolution” projects is taken in common between the business units and the IT department without intervention by the Executive Committee.

However, it is extremely important to keep these expenditures within reasonable limits, and to do so, it is necessary to properly establish a budget for each IT application in the context of budgetary negotiations.

A2.4. Main reasons for challenging the IT budget

Our experiences have shown that there are three main reasons for challenging IT expenditures.

A2.4.1. Reason no. 1: cyclical effects

The development of the company’s sector of activity is an important factor that contributes to challenging IT expenditures. It is the question of changes in the company’s ecosystem that causes companies to change their main financial or economic indicators: changes in profit and loss accounts, ROI, etc. In summary, factors economically exogenous to the IT department that makes it necessary,

Appendix 2 127

in the short term, to reduce its expenditure level. Imagine yourself in a large bank in 2008, in full “subprime” effect: financial indicators in the green for several years, an expected growth that gave the heads of banks the possibility to heavily invest in their organization (including IT) to prepare for the future. And within a few weeks an entire economy was turned upside down and discredited. The question that then arose was: Should we continue or stop ongoing investments? Where are these investments leading us now?

A2.4.2. Reason no. 2: mature IS department

This need may arise from a pro-active approach of the IT department, which will seek to guarantee its internal clients that IT services are optimized in terms of quality provided compared to the costs incurred, and therefore will need reliable indicators measuring the effectiveness and the efficiency of IT expenditures. This approach, which often relies on external benchmarks, is of great interest to the Executive Committee, because it allows opening the “black box” that the IT department often represents and highlights its contribution to the creation of “business” value for the company.

A2.4.3. Reason no. 3: a strategic action plan, for example resulting from the digital transformation that the company is confronted with

The implementation of such a corporate strategic plan may require:

– to reduce “Run” or even “IT application evolutions” expenditures;

– to possibly not launch a number of projects considered to have lower priority in order to dedicate more resources to projects essential for the company’s future.

These projects related to digital transformation have a cost. The expected gains are uncertain if the company is not fully operational to reap all the benefits. It must therefore manage in the fairest manner the allocation of resources to IS. To this end, it is necessary to be


constantly prepared for several topics at once, when it comes to investing in several technologies depending on clients, market and to selecting the most promising projects.

In any case, regardless of the reason for challenging IT expenditures, this must not impact on the global budget in an undifferentiated manner. On the contrary, it is important to distinguish the three main components of this budget, namely:

1) transformation projects;

2) recurring operations;

3) IT application evolution.

This is in order to be able to assign relevant objectives to each of the components, which would otherwise yield results contrary to the targeted objectives and jeopardize the company’s future. Faced with this problem, EISG will help the company to make the best choices regarding its challenges and to allocate resources on strategic projects that are essential to the company’s future.

Appendix 3

Glossary

Academy: The Académie des sciences et techniques comptables et financières is a part of the National Association of Chartered Accountants (Ordre des Experts Comptables in France). This network aims to develop businesses, knowledges and skills of French professionals in auditing, accounting and finance.

AFAI: (Association Française des Auditeurs et consultants informatiques). It is the French chapter of the ISACA.

APO: Assistant to the project owner. The APO assists the contracting authority in all or some of its tasks on a project, including identification of requirements, recipe of the solution delivered by the contracting authority, and project and change management. The use of an APO is generally justified by the size or complexity of the project.

Business units: This term refers to a company’s entity beneficiary of a project. Usually business units delegate project management to a Contracting Authority (CA). According to business and depending on the context of the project, the CA may consist of people forming part of the business and who have a competence in project management, or an entity specialized in project management.





Business units are generally involved in defining requirements in connection with the CA. When the solution is concretized, they also participate in the evaluation of the solution jointly with the CA.

Business continuity plan (BCP): Includes the disaster recovery plan (DRP) but also describes the mitigation activities that should be exercised by business units based on the various phases prior to returning to the normal situation. It also contains the modalities for crisis communication.

CIGREF: (Club Informatique des Grandes Entreprises Françaises) An association of large french companies which aims to help their leaders to make them more innovative and more efficient, in particular through better management of their information system. It is a crossroads for information, exchange and orientation about the company at the heart of the digital world.

CMMi: Capability Maturity Model Integration. This framework of best practices to be implemented to guarantee the quality of IT developments has been developed by Carnegie Mellon University. It allows the evaluation of the maturity of an organization, using five levels that can be the subject of certifications.

COBIT 5: The framework of the ISACA which structures the objectives of IS governance, the control objectives and the best practices per IT area and per process, and connects them to business requirements. It integrates Val IT and Risk IT, includes 37 processes distributed in seven areas, relying on 208 best practices covering all areas of responsibility of IT and ISs.

Disaster recovery plan (DRP): This plan is a device that allows a company to rebuild its IT infrastructure after a major disaster, and to restart all the applications in its IS.

Function points: A tool for measuring the functional size of a software program or of an IS. To do so, the number of inputs, outputs, questions,

Appendix 3 131

external and internal data is identified, taking into account for each of these entities their level of complexity (simple, medium or high).

This metric, normalized to the international level, is very useful for the management of development costs of the IT department.

IGSI: (Institut de la Gouvernance des Systèmes d’information). A joint association between the AFAI and the CIGREF aiming to promote best practices in matters of Enterprise IS Governance in the French-speaking world.

Information System (IS): The notion of “information system” used in this book corresponds to the definition found on Wikipedia, namely “the set of resources (personnel, hardware, software, data and procedures) organized to collect, store, process, and communicate information. The information system coordinates, by means of structuring exchanges, the activities of the organization and thus allows it to achieve its objectives”.

ISACA: The Information System Audit and Control Association is the association which makes reference in these domains at the international level. It comprises a research center called the IT Governance Institute (ITGI), which produces recognized frameworks at the international level, such as CobiT, Val IT or Risk IT, recently integrated into COBIT 5.

IS development plan: This concerns a development avenue of the IS built to guarantee the total architectural coherence (business, functional, technical and application related) of the target of the IS. In this sense, it constitutes an embryo of an IS master plan.

ISMP: Information systems master plan.

IS multi-annual master plan: The IS master plan aims to formalize developments in the IS in the medium term arising either from the company’s strategy, or from technological contributions created by the IT ecosystem, or even from the existing IS analysis. This synthesis document is jointly prepared by the IT management and “business units”


and then validated by the general management. For a given horizon (most often 3–5 years), it describes in a concrete manner how the information system (in functional, application, but also technical infrastructure “layers”) should be deployed to meet the objectives defined and provide the services expected.

ITIL: Information Technology Infrastructure Library. This is an international framework for best practices in terms of IT services that covers the following processes: HelpDesk, incident management, problem management, change management, releases into production, configuration management

PE: Project execution. Mandated by the PO, the PE is responsible for the technical choices necessary for the implementation of the project. The PE also has a key role in complying with project costs, quality and schedules in accordance with the requirements formulated by the PO.

In this book, and consistent with good IS management practices, the term PE is not used to designate an organization or a specific entity (also it may sometimes designate the IT department), but only a role in the IT function.

PMI: The Project Management Institute, founded in 1969, a non-profit professional association that provides project management methods. It publishes standards for project management and is responsible for the certification of project management processes.

The term PMI commonly refers to the project management methodology advocated by the Project Management Institute. It includes 47 processes that can be applied to each of the five phases of a project (initialization, planning execution, control and monitoring, completion)

PMP: Project management plan. A document that specifies the totality of organizational arrangements put in place to manage a project, in addition to the quality system in force in the company.

Appendix 3 133

Usually, a PMP addresses the following topics:

– project presentation (context, challenges, risks, technical environment, etc.);

– project organization (governance and decision-making bodies, organizational chart, internal and external project team, responsibility matrix, project logistics, etc.);

– production process (configuration management, change management, delivery management, quality management, document management, etc.);

– project planning;

– list of the main deliverables;

– PMP updating modalities.

PO: Project Owner. The PO defines the requirements, budget and planning of the business project and ensures its coordination. To this end, it represents the clients and end users of the business units. To carry out the project, a project management plan (PMP) is generally formalized. At the end of the implementation, the PO is responsible for verifying through evaluation that the outcome of the project is consistent with expectations.

The PO may rely on internal or external assistance (usually provided by a consulting firm, if external) (APO) for all the tasks it is responsible for.

In this book, and consistent with good IS management practices, the term PO is not used to designate an organization or a specific entity, but only a role in the information technology function.

RISK IT: The framework of the ISACA for IS and technologies risk management. It is a guide of governing principles and best practices which helps companies to implement ad hoc governance to identify and effectively manage IT risks.


ROI: Return on investment It measures directly measurable quantitative gains or costs avoided due to the project, expressed in percentages of the investments allowed for the project. Despite being too often regarded as a key indicator, basing the project launch decision on this single indicator is however too reductive.

In effect, since only a minority of projects have real financial ROI, it is more appropriate to assess the “value” provided by a project during the launch decision. It considers, in addition to the ROI, the whole set of qualitative benefits related to the project (increase in quality of service, compliance with regulatory obligations, etc.).

SDCITIS: Steering and Decision Committee concerning Information Technology and Information Systems

The main missions of the SDCITIS are to validate the proposals for the development of the IS, to take all decisions concerning the management of the portfolio of business projects with a significant IT component (launch, monitoring, reorientation, reviewing, etc.) and monitor the IS budget, both with regard to the “operation” component through the evolution of the unit costs of recurring IT services, and the “projects”– component through the monitoring of “business cases”.

It is led by a representative of the Executive Committee and brings together business representatives as well as the IT management.

SLA: Service Level Agreement. This term designates a service contract between supplier and client. When supplier and client are two entities of the same company, it is rather referred to as a service agreement.

This agreement details the scope, content and the expected quality level (or service level) of the provision, as well as the respective responsibilities of supplier and client, warranties, delivery evaluation criteria, or even penalties in case of failure to comply with the commitments made.

Appendix 3 135

TOGAF: The Open Group Architecture Framework, a set of concepts and an industry standard including the field of business IT architectures, which can be used freely and without costs by any company desirable to develop or modify its architecture.

Val IT: (Enterprise Value: Governance of IT investments) the reference framework developed by the ISACA for the good governance of IT investments.

Since business transformation projects comprise increasingly often a significant computing component, this good governance becomes increasingly essential to enable the company to meet its development and value creation objectives.

Index

A, B

action plan, 7, 26, 35, 41, 96, 97, 127

agreement, 22, 31, 103, 134 applications development, 99 assistance, 35, 81, 82, 88, 89, 90,

92, 94, 132 audit, 6, 18, 23, 77, 105, 108 availability, 8, 17, 30, 74, 79, 80,

84, 92, 105, 109, 114 backup, 103–105 benchmarking, 71, 72, 94, 108 big data, 44 build, 12, 41, 43, 50, 55, 59, 95 business

management, 19, 63, 69 model, 49 project manager, 61, 78, 79

C, D

capitalize, 57, 59, 73, 100, 107 change management, 54, 74, 90,

94, 105, 129, 132, 133 client satisfaction, 92

cloud, 44, 101 collaborative networks, 44 collective skills mapping, 100 competitive advantage, 66, 106,

107 compliance, 3, 8, 9, 18, 25, 27,

55, 63, 66, 73, 74, 77, 82, 94, 102, 106, 134

configurations management, 88, 89, 91, 93, 95, 132, 133

continuous improvement, 7, 57, 63, 73, 94, 95, 107, 111

controls, 90, 105 corporate

governance, 3, 4, 12 planning, 40, 42, 49 regulation system, 8 strategy, 123

corrective action plans, 106, 111 crisis communication, 106, 113–

115, 130 critical assets, 103 dashboard, 43, 56, 63, 79, 108–

111, 114, 119 data dictionary, 48 decision-making bodies, 21, 58,

59, 77, 133





decision-making process, 3, 6, 18, 21, 35, 57, 59, 75

deliverables, 71, 74, 77, 79, 133 diagnostics, 34, 94, 100 digital transformation, 4, 6, 8, 12,

14, 16, 18, 22, 24, 26, 28, 30, 32, 34, 36

disaster recovery plan, 104, 105, 130

E, F, H, I

executive management, 71 frameworks, 21, 23–26, 32, 45,

86, 131 functional lots, 78, 79 HR function, 98 human resources, 8, 67, 96 improvement

actions plans, 108, 110, 111 vector, 30

independent audit, 77, 80, 105, 106

indicators, 35, 42, 43, 66, 76, 78, 82, 83, 100, 108, 110, 114, 126, 127, 134

information systems, 3, 7, 22, 43, 80–82,

108, 119, 130, 131, 134 systems management, 82

infrastructure, 12, 13, 17, 18, 40, 44, 46, 47, 53, 59, 81, 84, 104, 125, 130, 132

in/outsourcing, 97, 100 internal

client, 22, 68, 115, 127 control, 3, 8, 25, 105

investment budget, 51 IS

budget, 67–70, 128, 134 failure, 103, 104, 107

management, 12, 22, 82, 108, 132 planning, 40 urbanization, 16, 35, 44–49, 46

IT budget, 22, 62, 64, 65, 67, 69–

71, 123, 126 components, 13, 48, 60, 69, 70,

73, 79, 104 management, 30, 33, 109, 110,

131, 134 master plan, 36 scorecard, 117 technologies, 19

L, M

level of maturity, 27, 29, 30, 32–34,

39–41, 46–50, 58, 60–64, 67, 87–101, 108, 111

of proficiency, 97, 99, 101 macro-skill, 97, 99, 101 maintenance, 36, 45, 46, 51, 68,

69, 73, 83, 84, 88, 89, 91, 93, 100, 104, 126

maintenance in operational condition, 67

management control, 6, 35, 36, 46, 65

mapping, 44, 46–49, 99, 100, 101, 104

maturity, 29 medium-term planning, 41, 42,

61, 101 methodology, 53, 63, 74, 78, 79,

88, 89, 91, 133 milestones, 76, 77, 84, 85 missed opportunities, 106, 107 multi-annual master plan, 131

Index 143

O, P

outsourcing, 66, 82, 85, 86, 91, 96–100

password, 105 performance management, 7 permissions, 105 PMO, 55, 57, 63 productivity, 23, 66, 126 profits, 27, 57, 71, 74, 79, 85 project

launching, 48, 76 management office, 55 management, 19, 62, 64 portfolio, 22, 45, 51, 53–57, 61, 66,123

R, S

rationalization, 40, 45 recurring services, 33, 59, 61, 63–

65, 69–72, 82, 86, 87, 110, 124,125

resources allocation, 125 optimization, 5

return on investment, 27, 55, 123, 134

risk management, 2, 4, 5, 7, 8, 12, 16, 24–26, 36, 101–107, 109–111, 114, 133

ROI, 27, 55, 123 run, 59, 125–127 safety rules, 104

service agreements, 82, 90, 92, 103,

105 catalog, 82, 90, 126 contract, 70, 90, 134 level agreement (SLA), 22, 31, 62, 64, 110, 134 levels, 88, 91–93

sharing of experiences, 112 short cycles, 107 single point of contact, 82 skills, 95

management, 95, 96, 100 stakeholders, 5, 6, 11, 26, 74–76,

112 steering committees, 75, 78–80,

114

T, U, V

technical mapping, 104 technological component, 51 technologies, 4, 19, 23, 44, 49,

81, 93, 96, 97, 100, 107, 128, 133

to do’s, 79, 84 transformation projects, 53, 59,

64, 66, 67, 120, 124, 125, 128, 135

transparency, 11, 21, 27, 31, 64, 112

unit cost of products/services, 66 vector, 39

Other titles from

in

Computer Engineering

2016 BLUM Christian, FESTA Paola Metaheuristics for String Problems in Bio-informatics (Metaheuristics Set – Volume 6)

DEROUSSI Laurent Metaheuristics for Logistics (Metaheuristics Set Volume 4)

DHAENENS Clarisse and JOURDAN Laetitia Metaheuristics for Big Data (Metaheuristics set – Volume 5)

LABADIE Nacima, PRINS Christian, PRODHON Caroline Metaheuristics for Vehicle Routing Problems (Metaheuristics Set – Volume 3)

LEROY Laure Eyestrain Reduction in Stereoscopy

MAGOULÈS Frédéric, ZHAO Hai-Xiang Data Mining and Machine Learning in Building Energy Analysis

2015 BARBIER Franck, RECOUSSINE Jean-Luc COBOL Software Modernization: From Principles to Implementation with the BLU AGE® Method

CHEN Ken Performance Evaluation by Simulation and Analysis with Applications to Computer Networks

CLERC Maurice Guided Randomness in Optimization (Metaheuristics Set – Volume 1)

DURAND Nicolas, GIANAZZA David, GOTTELAND Jean-Baptiste, ALLIOT Jean-Marc Metaheuristics for Air Traffic Management (Metaheuristics Set – Volume 2)

MAGOULÈS Frédéric, ROUX François-Xavier, HOUZEAUX Guillaume Parallel Scientific Computing

MUNEESAWANG Paisarn, YAMMEN Suchart Visual Inspection Technology in the Hard Disk Drive Industry

2014 BOULANGER Jean-Louis Formal Methods Applied to Industrial Complex Systems

BOULANGER Jean-Louis Formal Methods Applied to Complex Systems: Implementation of the B Method

GARDI Frédéric, BENOIST Thierry, DARLAY Julien, ESTELLON Bertrand, MEGEL Romain Mathematical Programming Solver based on Local Search

KRICHEN Saoussen, CHAOUACHI Jouhaina Graph-related Optimization and Decision Support Systems

LARRIEU Nicolas, VARET Antoine Rapid Prototyping of Software for Avionics Systems: Model-oriented Approaches for Complex Systems Certification

OUSSALAH Mourad Chabane Software Architecture 1 Software Architecture 2

PASCHOS Vangelis Th Combinatorial Optimization – 3-volume series, 2nd Edition Concepts of Combinatorial Optimization – Volume 1, 2nd Edition Problems and New Approaches – Volume 2, 2nd Edition Applications of Combinatorial Optimization – Volume 3, 2nd Edition

QUESNEL Flavien Scheduling of Large-scale Virtualized Infrastructures: Toward Cooperative Management

RIGO Michel Formal Languages, Automata and Numeration Systems 1: Introduction to Combinatorics on Words Formal Languages, Automata and Numeration Systems 2: Applications to Recognizability and Decidability

SAINT-DIZIER Patrick Musical Rhetoric: Foundations and Annotation Schemes

TOUATI Sid, DE DINECHIN Benoit Advanced Backend Optimization

2013 ANDRÉ Etienne, SOULAT Romain The Inverse Method: Parametric Verification of Real-time Embedded Systems

BOULANGER Jean-Louis Safety Management for Software-based Equipment

DELAHAYE Daniel, PUECHMOREL Stéphane Modeling and Optimization of Air Traffic

FRANCOPOULO Gil LMF — Lexical Markup Framework

GHÉDIRA Khaled Constraint Satisfaction Problems

ROCHANGE Christine, UHRIG Sascha, SAINRAT Pascal Time-Predictable Architectures

WAHBI Mohamed Algorithms and Ordering Heuristics for Distributed Constraint Satisfaction Problems

ZELM Martin et al. Enterprise Interoperability

2012

ARBOLEDA Hugo, ROYER Jean-Claude Model-Driven and Software Product Line Engineering

BLANCHET Gérard, DUPOUY Bertrand Computer Architecture

BOULANGER Jean-Louis Industrial Use of Formal Methods: Formal Verification

BOULANGER Jean-Louis Formal Method: Industrial Use from Model to the Code

CALVARY Gaëlle, DELOT Thierry, SÈDES Florence, TIGLI Jean-Yves Computer Science and Ambient Intelligence

MAHOUT Vincent Assembly Language Programming: ARM Cortex-M3 2.0: Organization, Innovation and Territory

MARLET Renaud Program Specialization

SOTO Maria, SEVAUX Marc, ROSSI André, LAURENT Johann Memory Allocation Problems in Embedded Systems: Optimization Methods

2011

BICHOT Charles-Edmond, SIARRY Patrick Graph Partitioning

BOULANGER Jean-Louis Static Analysis of Software: The Abstract Interpretation

CAFERRA Ricardo Logic for Computer Science and Artificial Intelligence

HOMES Bernard Fundamentals of Software Testing

KORDON Fabrice, HADDAD Serge, PAUTET Laurent, PETRUCCI Laure Distributed Systems: Design and Algorithms

KORDON Fabrice, HADDAD Serge, PAUTET Laurent, PETRUCCI Laure Models and Analysis in Distributed Systems

LORCA Xavier Tree-based Graph Partitioning Constraint

TRUCHET Charlotte, ASSAYAG Gerard Constraint Programming in Music

VICAT-BLANC PRIMET Pascale et al. Computing Networks: From Cluster to Cloud Computing

2010 AUDIBERT Pierre Mathematics for Informatics and Computer Science

BABAU Jean-Philippe et al. Model Driven Engineering for Distributed Real-Time Embedded Systems 2009

BOULANGER Jean-Louis Safety of Computer Architectures

MONMARCHE Nicolas et al. Artificial Ants

PANETTO Hervé, BOUDJLIDA Nacer Interoperability for Enterprise Software and Applications 2010

PASCHOS Vangelis Th Combinatorial Optimization – 3-volume series Concepts of Combinatorial Optimization – Volume 1 Problems and New Approaches – Volume 2 Applications of Combinatorial Optimization – Volume 3

SIGAUD Olivier et al. Markov Decision Processes in Artificial Intelligence

SOLNON Christine Ant Colony Optimization and Constraint Programming

AUBRUN Christophe, SIMON Daniel, SONG Ye-Qiong et al. Co-design Approaches for Dependable Networked Control Systems

2009 FOURNIER Jean-Claude Graph Theory and Applications

GUEDON Jeanpierre The Mojette Transform / Theory and Applications

JARD Claude, ROUX Olivier Communicating Embedded Systems / Software and Design

LECOUTRE Christophe Constraint Networks / Targeting Simplicity for Techniques and Algorithms

2008 BANÂTRE Michel, MARRÓN Pedro José, OLLERO Hannibal, WOLITZ Adam Cooperating Embedded Systems and Wireless Sensor Networks

MERZ Stephan, NAVET Nicolas Modeling and Verification of Real-time Systems

PASCHOS Vangelis Th Combinatorial Optimization and Theoretical Computer Science: Interfaces and Perspectives

WALDNER Jean-Baptiste Nanocomputers and Swarm Intelligence

2007 BENHAMOU Frédéric, JUSSIEN Narendra, O’SULLIVAN Barry Trends in Constraint Programming

JUSSIEN Narendra A to Z of Sudoku

2006 BABAU Jean-Philippe et al. From MDD Concepts to Experiments and Illustrations – DRES 2006

HABRIAS Henri, FRAPPIER Marc Software Specification Methods

MURAT Cecile, PASCHOS Vangelis Th Probabilistic Combinatorial Optimization on Graphs

PANETTO Hervé, BOUDJLIDA Nacer Interoperability for Enterprise Software and Applications 2006 / IFAC-IFIP I-ESA’2006

2005 GÉRARD Sébastien et al. Model Driven Engineering for Distributed Real Time Embedded Systems

PANETTO Hervé Interoperability of Enterprise Software and Applications 2005

digital transformation: information systems governance

Documents