enterprise governance of it · bsc, information economics, sla, cobit, val it, itil, it alignment /...

Enterprise Governance of IT

Prof. dr. Wim Van GrembergenDr. Steven De Haes

University of Antwerp (UA)University of Antwerp Management School (UAMS)

IT Alignment and Governance Research Institute (ITAG)

www.uams.be/itag

2

Agenda

• Enterprise Governance of IT

• Enterprise Governance of IT practices

• Enterprise Governance of IT as enabler for business / IT alignment

• Enterprise Governance of IT as enabler for business value

3

Setting the scene

“IT doesn’t matter!”(Nicolas Carr, HBR, 2003)

4

Setting the scene

"Firms with superior IT governance have at least 20% higher profits...than

firms with poor governance given the same strategic

objectives."( Louis Boyle, VP Gartner EXP, 2006)

5

IT governance definitions

IT governance is the organizational capacity exercised by the board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensuring the fusion of business and IT. (Van Grembergen, 2002)

IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

(IT Governance Institute, 2001)

6

ITG

OV

ER

NA

NC

E

strategic level

management level

operational level

Board of directors

Executive management (CEO,

CIO, …)

IT and business management

Three layers

7

Moving to Enterprise Governance of IT

Enterprise governance of IT (EGIT) is an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organisation that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT-enabled business investments.

(Van Grembergen & De Haes, 2009)

8

ISO 38.500 principles for Enterprise Governance of IT

• Principle 1: ResponsibilityIndividuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT. Those with responsibility for actions also have the authority to perform those actions.

• Principle 2: StrategyThe organization’s business strategy takes into account the current and future capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization’s business strategy.

• Principle 3: AcquisitionIT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making. There is appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term.

• Principle 4: PerformanceIT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.

• Principle 5: ConformanceIT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced.

• Principle 6: Human BehaviourIT policies, practices and decisions demonstrate respect for Human Behaviour, including the current and evolving needs of all the ‘people in the process’.

9

Key assets governance

Board

Executive committee

Key assets

Human assets

Financial assets

Physical assets

IP assets

Inform. & IT assets

Relationship assets

IT governance practices

Financial governance practices

Board

Executive committee

Key assets

Human assets

Financial assets

Physical assets

IP assets

Inform. & IT assets

Relationship assets

IT governance practices

Financial governance practices

10

IT Governance versus IT Management(Peterson, 2003)

BusinessOrientation

Tim e Orientation

External

Internal

Present Future

IT M anagem ent

IT IT GovernanceGovernance

11

StructuresRoles and responsibilities, IT organisation

structure, CIO on Board, IT strategy committee, IT steering committee(s)

ProcessesStrategic Information Systems Planning, (IT) BSC, Information Economics, SLA, COBIT,

Val IT, ITIL, IT alignment / governance maturity models

Enterprise governance of IT

Relational mechanismsActive participation and collaboration between principle

stakeholders, Partnership rewards and incentives, Business/IT co-location, Cross-functional business/IT

training and rotation

Structures, processes and relational mechanisms

12

Roles & responsibilities(Weill & Woodham)

Anarchy

Duopoly

Federal

Feodal

IT monarchy

B. monarchy

decisionInputDecisionInputDecisionInputDecisionInputDecisionInput

IT investmentBusinessApplication

needs

ITInfrastructure

strategies

IT architectureIT principles

Anarchy

Duopoly

Federal

Feodal

IT monarchy

B. monarchy

decisionInputDecisionInputDecisionInputDecisionInputDecisionInput

IT investmentBusinessApplication

needs

ITInfrastructure

strategies

IT architectureIT principles

Top three governance performers (achieving 4 performance objectives, weighted by importance)

Structures: Roles & responsibilities(Weill & Woodham)

13

Structures: Principles for Enterprise Governance of IT

• IT is a professional organization that effectively and efficiently manages its resources in alignment with the needs of the organization.

• IT is the exclusive provider of IT services. Outsourcing is always organised in joint partnership between business and IT.

• IT is pro-actively engaged in further developing and innovating the organization.• IT primarly develops and maintains compentencies that are aligned to and required for

supporting the expertise available in the organization.• The priorities within IT are aligned to the strategic goals of the organizations through

integrated planning cycles. • All IT applications comply with rules and policies as mutually agreed upon by business

and IT• IT is pro-actively engaged in reviewing and designing efficient business processes.• IT and the business collaborate based on fixed agreements. Based on a scope definition,

impact analysis and capacity reviews, both business and IT committ for timely delivery within quality requirements.

• There is transparancy on the required service quality that IT has to deliver to the business, and this service quality is continuously monitored.

• Starting from the initial development of new business project, the potential impact on IT needs to be analysed.

14

Structures: IT strategy committee(IT Governance Institute, 2002)

• a board may carry out its IT governance duties through an IT strategy committee

• the IT strategy committee has to consider:• how the board should become involved in IT governance• how to integrate the board’s role in IT and business strategy

• the IT strategy committee needs to offer expertise and timely advice and direction on topics such as:

• the alignment of IT with the business directions• the achievement of strategic IT objectives• the availability of suitable IT resources, skills and infrastructure• optimization of IT costs• the role and the value delivery of external IT sourcing• risk, return and competitive aspects of IT investments• progress on major IT projects• measurement of IT performance

15

Structures: IT strategy committee(IT Governance Institute, 2002)

•membership:•chairman (board member) •several board members•IT experts as external advisors

•the IT strategy committee should work in close partnership with•other board committees•management committees

16

Structures: IT strategy committee versus IT steeringcommittee (IT Governance Institute, 2002)

• an IT strategy committee is on board level whereas an IT steering committee ison executive level

• an IT steering committee:• assists the executive in the delivery of the IT strategy• oversees day-to-day management of IT service delivery and IT projects• focuses on implementation

• membership of an IT steering committee• sponsoring executive• business executive (key users)• CIO• key advisors as required (IT, audit, legal, finance)

17

Processes: Balanced Scorecard(Van Grembergen et al., 2002; Van Der Zee and De Jong, 1999)

• basic idea of the BSC is that traditional financial measures should besupplemented with measures concerning customer satisfaction, internal processes,and the ability to innovate

• the BSC, initially developed at enterprise level, can also be applied to IT and through a cascade of business and IT scorecards integrated business and ITmanagement can be realized

• when using the BSC alignment method, business goals and the drivers of business success are identified, including specific IT drivers (In this way, IT can be integrated in the business).

• IT BSC is becoming a popular tool with its concepts widely supported andand dispersed by consultant groups

18

Generic IT Balanced Scorecard

CorporateContribution

FutureOrientation

UserOrientation

OperationalExcellence

19

Corporate Contribution Scorecard

Business/IT Alignment Operational plan/budget approval N/A

Value Delivery Measured in business unit performance N/A

Cost Management Attainment of expense and recovery targets Attainment of unit cost targets

Industry expenditure comparisons Compass operational “Top Performing” levels

Risk Management Results of internal audits Execution of Security Initiative Delivery of Disaster Recovery Assessment

OSFI Sound Business Practices N/A N/A

Inter-company Synergy Achievement

Attainment of targeted integration cost reductions Single system solutions Target State Architecture approval IT organization integration

Merger & Acquisition guidelines N/A N/A N/A

ObjectiveObjective MeasuresMeasures BenchmarkBenchmark

To enable and contribute to the achievement of business objectives through effective delivery of value added information services.

20

User Orientation Scorecard

ObjectiveObjective MeasuresMeasures BenchmarkBenchmark

Competitive Costs Attainment of unit cost targets Compass operational “Top Performing” levels

Blended labour rates Market comparisons

Development Services Performance

Major project success scores: • recorded goal attainment • sponsor satisfaction rating • project governance rating

N/A

Operational Services Performance Attainment of targeted service levels Competitor comparisons

Customer Satisfaction Business unit survey ratings: • cost transparency and levels • service quality and responsiveness • value of I.S. advice and support • contribution to business objectives

N/A

To be the supplier of choice for all information services, either directly or indirectly through supplier relationship

21

Operational Excellence Scorecard

ObjectivesObjectives MeasuresMeasures BenchmarkBenchmark

Development Process Performance Function point based measures of: • productivity • quality • delivery rate

TBD

Operational Process Performance Benchmark based measures of: • productivity • responsiveness • change management effectiveness • incident occurrence levels

• Selected Compass Benchmark studies

Process Maturity Assessed levels of maturity and compliance in priority processes within: • planning and organization • acquisition and implementation • delivery and support • monitoring

TBD (ITGI)

Enterprise Architecture Management

• Major project architecture approval • Product acquisition compliance to

technology standards • “State of the Infrastructure”

assessment

N/A

To deliver timely and effective IT services at targeted service levels and costs

22

Future Orientation Scorecard

ObjectivesObjectives MeasuresMeasures BenchmarkBenchmark

Human Resource Management Results against targets: • staff complement by skill type • staff turnover • staff “billable” ratio • professional development days per

staff member

N/A Market comparison Industry standard Industry standard

Employee Satisfaction Employee satisfaction survey scores in: • compensation • work climate • feedback • personal growth • vision and purpose

North American technology dependent companies

Knowledge Management Delivery of internal process improvements to “Cybrary” Implementation of “lessons learned” sharing process

N/A N/A

To develop the internal capabilities to continuously improve performance through innovation, learning and personal organizational growth

23

Operational Services

Scorecards

Development Services

Scorecards

Governance Services

Scorecards

IT strategic balanced scorecard

Business Objectives

Cascade of scorecards

24

Roll-up to Service Level Performance metrics in IS

Strategic Scorecard

Average Speed of AnswerResolution Rate at Initial CallCall Abandonment Rate

Corporate ContributionExpense Management *Cost per ContactCost per User

Customer OrientationClient Satisfaction *Average Speed of AnswerResolution Rate at Initial CallCall Abandonment RateCustomer Caused Incidents

IS ProcessDS8 Process Maturity (Incident

Management)Call VolumePercent Automatically Logged

IncidentsCall Monitoring: Quality of Tickets

& Quality of CallsAverage Number of Calls/Agent

Future OrientationStaff Complement *Staff Turnover *PD Days/Staff Member *Employee Satisfaction *Implementation of Knowledge

Base Tool

IS Service Desk Unit Scorecard

* Will Aggregate as part of the I.S. Strategic Scorecard

25

THEN

Causal relationships

THEN

THEN IF

Carrying out the roles of the IT division's mission

(operational excellence)

Measuring up to business expectations governance

(user orientation)

Ensuring effective IT Governance

(business contribution)

(future orientation)

Building the foundation for delivery and continuous

learning and growth

26

MATURITY LEVEL 1: There is evidence that the organization has recognized that there is a need for a measurement system for its information technology division. There are ad hoc approaches to measure IT with respect to the two main IT processes, i.e. operations and systems development. This measurement process is often and individual effort in response to specific issues.

MATURITY LEVEL 2: Management is aware of the concept of the IT balanced scorecard and has communicated its intent to define appropriate measures. Measures are collected and presented to management in a scorecard. Linkages between outcome measures and performance drivers are generally defined but are not yet precise, documented or integrated into strategic and operational planning processes. Processes for scorecard training and review are informal and there is no compliance process in place.

MATURITY LEVEL 3: Management has standardized, documented and communicated the IT BSC through formal training. The scorecard process has been structured and linked tobusiness planning cycle. The need for compliance has been communicated but compliance is inconsistent. Management understands and accepts the need to integrate the IT BSC within the alignment process of business and IT. Efforts are underway to change the alignment process accordingly.

MATURITY LEVEL 4: The IT BSC is fully integrated into the strategic and operational planning and review systems of the business and IT. Linkages between outcome measures and performance drivers are systematically reviewed and revised based upon the analysis of results. There is a full understanding of the issues at all levels of the organization that is supported by formal training. Long term stretch targets and priorities for IT investment projects are set and linked to the IT scorecard. A business scorecard and a cascade of IT scorecards are in place and are communicated to all employees. Individual objectives of IT employees are connected with the scorecards and incentive systems are linked to the IT BSC measures. The compliance process is well established and levels of compliance are high.

MATURITY LEVEL 5: The IT BSC is fully aligned with the business strategic management framework and vision is frequently reviewed, updated and improved. Internal and external experts are engaged to ensure industry best practices are developed and adopted. The measurements and results are part of management reporting and are systematically acted upon by senior and IT management. Monitoring self-assessment and communication are pervasive within the organization and there is optimal use of technology to supportmeasurement, analysis, communication and training.

IT BSC maturity model

27

Processes: Information Economics(Parker, M., 1996; Van Grembergen and Van Bruggen, 1997)

• the information economics method is an alignment technique whereby bothbusiness and IT score IT projects

• this evaluation methods takes into account the ROI of a project and differentnon-tangibles such as “strategic match of the project” (business evaluation) and “match with the strategic IT architecture” (IT evaluation)

• information economics is a scoring technique resulting in a weighted totalscore based on the scores for the ROI and the non-tangibles (typically scoresfrom 0 to 5 are attributed whereby 0 means no contribution and 5 refersto a high contribution)

• information economics can be used as an alignment process with as objectivesto prioritize and select projects

29

Processes: COBIT and VALIT as frameworks for Enterprise Governance of IT


COBITFocus on IT processes

Val ITFoucs on IT- related business processes


COBITFocus on IT processes

Val ITFocus on IT- related business processes

30

PO1. define a strategic IT planPO2. define the information architecturePO3. determine technological directionPO4. define the IT processes, organization and relationshipsPO5. manage the IT investmentPO6.communicate management aims and directionPO7. manage IT human resourcesPO8. manage qualityPO9. assess and manage riskPO10. manage projects

AI1. identify automated solutionsAI2. acquire and maintain application softwareAI3. acquire and maintain technology infrastructureAI4. enable operation and useAI5. procure IT resourcesAI6. manage changesAI7. install and accredit solutions and changes

ME1. monitor and evaluate IT performanceME2. monitor and evaluate internal controlME3. ensure regulatory complianceME4. provide IT governance

DS1. define and manage service levelsDS2. manage third party servicesDS3. manage performance and capacityDS4. ensure continuous serviceDS5. ensure systems securityDS6. identify and allocate costsDS7. educate and train usersDS8. manage service desk and incidentsDS9. manage the configurationDS10. manage problems DS11. manage dataDS12. manage the physical environmentDS13.manage operations

INFORMATIONINFORMATION

• data• application systems• Infrastructure• people

• data• application systems• Infrastructure• people

PLANNING AND ORGANISATIONPLANNING AND ORGANISATION

ACQUISITION ANDIMPLEMENTATIONACQUISITION ANDIMPLEMENTATION

DELIVERY AND SUPPORT

DELIVERY AND SUPPORT

MONITOR AND EVALUATE

MONITOR AND EVALUATE

• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability

• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability

Criteria

IT RESOURCESIT RESOURCES

Business and Governance ObjectivesCOBIT Framework

31

p High-level and detailed Control Objectives

pManagement Guidelines

p Inputs – outputs

p RACI chart

p Goals and metrics

pMaturity models

pAssurance Guidelines – Implementation Guidelines

The Major Elements of COBIT

COBIT Control Objectives

33

Example: Detailed Control Objectives for Manage Changes (AI6)

AI6.1 Change Standards and ProceduresSet up formal change management procedures to handle in a standardised manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.

AI6.2 Impact Assessment, Prioritisation and AuthorisationEnsure that all requests for change are assessed in a structured way for impacts on the operational system and its functionality. This assessment should include categorisation and prioritisation of changes. Prior to migration to production, changes are authorized by the appropriate stakeholder.

AI6.3 Emergency ChangesEstablish a process for defining, raising, assessing and authorising emergency changes that do not follow the established change process. Documentation and testing should be performed, possibly after implementation of the emergency change.

AI6.4 Change Status Tracking and ReportingEstablish a tracking and reporting system for keeping change requestors and relevant stakeholders up to date about the status of the change to applications, procedures, processes, system and service parameters, and the underlying platforms.

AI6.5 Change Closure and DocumentationWhenever system changes are implemented, update the associated system and user documentation and procedures accordingly. Establish a review process to ensure complete implementation of changes.

34

1. Establish a service desk as a single, initial point of contact for the reporting, monitoring, escalation and resolution of customer requests and incidents. Develop business requirements for the service desk, based on service definitions and SLAs, including hours of operation and expected response time to a call. Ensure that service desk requirements include identifying staffing, tools and integration with other processes, such as change management and problem management.

2. Ensure that there are clear instructions for service desk staff when a request cannot be immediately resolved by service desk personnel. Establish time thresholds to determine when escalation should occur based on the categorisation/prioritisation of the request or incident.

3. Implement the necessary support software and tools (e.g., incident management, knowledge management, incident escalation systems, automated call monitoring) required for operation of the service desk and configured in accordance with SLA requirements, to facilitate automated prioritisation of incidents and rapid resolution.

4. Advise customers of the existence of the service desk and the standards of service they can expect. Obtain user feedback on a regular basis to ensure customer satisfaction and confirm the effectiveness of the service desk operation.

5. Using the service desk software, create service desk performance reports to enable performance monitoring and continuous improvement of the service desk.

DS8.1 Service DeskEstablish a service desk function, which is the user interface with IT, to register, communicate, dispatch and analyse all calls, reported incidents, service requests and information demands. There should be monitoring and escalation procedures based on agreed-upon service levels relative to the appropriate SLA that allow classification and prioritisation of any reported issue as an incident, service request or information request. Measure end users’ satisfaction with the quality of the service desk and IT services.

COBIT - IT Control Practices

35

COBIT COBIT

Management GuidelinesManagement Guidelines

Inputs Inputs ––OutputsOutputs

36

Each process has primary inputs and outputs with process linkages

Risk AppetiteBusiness Strategy

Understanding of the business context, capability and capacity

Mission and Goals

Service PortfolioProject PortfolioTactical PlanStrategic Plan

InputsOutputs

PO1

37

COBIT COBIT

Management GuidelineManagement Guideline

RACI ChartRACI Chart

38

RACI chart providing roles and

responsibilitiesCEO

CFO BusinessExecutive

CIO

BusinessSr Management

Head ofOperations

ChiefArchitect or CTO

Head ofDevelopment

Head ofIT Admin

HR, Fin, etc

CARS

PMO

CEO

CFO BusinessExecutive

CIO

BusinessSr Management

Head ofOperations

ChiefArchitect or CTO

Head ofDevelopment

Head ofIT Admin

HR, Fin, etc

CARS

PMO

PO1

39

COBIT COBIT

Management GuidelineManagement Guideline

Goals and metricsGoals and metrics

40

Example: Goals and metricsfor Manage Changes (AI6)

41

COBIT COBIT

Maturity modelsMaturity models

42

Example: Maturity Modelfor Manage Changes (AI6)

0 Non-existent whenThere is no defined change management process and changes can be made with virtually no control. There is no awareness that change can be disruptive for IT and business operations, and no awareness of the benefits of good change management.1 Initial/ Ad Hoc whenIt is recognised that changes should be managed and controlled. Practices vary and it is likely that unauthorised changes take place. There is poor or non-existent documentation of change, and configuration documentation is incomplete and unreliable. Errors are likely to occur together with interruptions to the production environment caused by poor change management.2 Repeatable but Intuitive whenThere is an informal change management process in place and most changes follow this approach; however, it is unstructured, rudimentary and prone to error. Configuration documentation accuracy is inconsistent and only limited planning and impact assessment takes place prior to a change.3 Defined Process whenThere is a defined formal change management process in place, including categorisation, prioritisation, emergency procedures, change authorisation and release management, and compliance is emerging. Workarounds take place and processes are often bypassed. Errors may still occur and unauthorised changes occasionally occur. The analysis of the impact of IT changes on business operations is becoming formalised, to support planned rollouts of new applications and technologies.4 Managed and Measurable whenThe change management process is well developed and consistently followed for all changes, and management is confident that there are minimal exceptions. The process is efficient and effective, but relies on considerable manual procedures and controls to ensure that quality is achieved. All changes are subject to thorough planning and impact assessment to minimisethe likelihood of post-production problems. An approval process for changes is in place. Change management documentation is current and correct, with changes formally tracked. Configuration documentation is generally accurate. IT change management planning and implementation are becoming more integrated with changes in the business processes, to ensure that training, organisational changes and business continuity issues are addressed. There is increased co-ordination between IT change management and business process redesign. There is a consistent process for monitoring the quality and performance of the change management process.5 Optimised whenThe change management process is regularly reviewed and updated to stay in line with good practices. The review process reflects the outcome of monitoring. Configuration information is computer-based and provides version control. Tracking of changes is sophisticated and includes tools to detect unauthorised and unlicensed software. IT change management is integrated with business change management to ensure that IT is an enabler in increasing productivity and creating new business opportunities for the organisation.

43

PortfolioPortfolioManagementManagement

Programme Programme ManagementManagement

Project Project ManagementManagement

Programme – a structured grouping of projects that are both necessary and sufficient to achieve a business outcome and deliver value, including business change management, business processes, people, etc. (primary unit of investment within VALIT)

Project – a structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget (that is necessary but not sufficient to achieve a required business outcome)

Portfolio – a suite of business programmes managed to optimise overall enterprise value

Val IT: Projects, Programmes, Portfolios and Value

Value – the end business outcome expected from an IT-enabled business investment where such outcomes may be financial, non-financial or a combination of the two.

44

Val IT - Relationship between Processes & Practices

MMaannaaggee tthhee IInnvveessttmmeennttss ((IIMM))

MMaannaaggee tthhee IInnvveessttmmeenntt PPoorrttffoolliioo ((PPMM))

Establish informed and committed leadership

Define and implement processes Define portfolio types

Align and integrate Value Management with enterprise financial

planning

Establish effective governance monitoring

Establish strategic direction and target investment mix

Determine availability and sources of funding

Human Resource Management

Evaluate and select programmes to fund

Monitor and report on portfolio performance

Optimise portfolio performance

Develop the programme plan

Launch and manage the programme

Develop full life cycle costs and benefits

Monitor and report on the programme

Update operational IT portfolios

Retire the programme

Develop and evaluate initial programme concept business case

Understand candidate programme and implementation options

Develop detailed candidate programme business case

Update the business case

EEssttaabblliisshh GGoovveerrnnaannccee FFrraammeewwoorrkk ffoorr VVaalluuee MMaannaaggeemmeenntt ((VVGG)) Implement lessons learned

45

VG processes

• VG01 Establish informed and committed leadership:- VG01.1 Develop an understanding of significance of IT and role of

governance- VG01.2 Establish effective reporting lines- VG01.3 Establish a leadership forum- VG01.4 Define value for the enterprise- VG01.5 Ensure alignment and integration of business and IT strategies

with key business goals• VG02 Define and implement processes:

- VG02.1 Define the value governance framework- VG02.2 Assess the quality and coverage of current processes- VG02.3 Identify and prioritise process requirements- VG02.4 Define and document processes- VG02.5 Establish, implement and communicate roles, responsibilities and

accountabilities- VG02.6 Establish organisational structures

• VG03 Define portfolio characteristics:- VG03.1 Define portfolio types- VG03.2 Define categories (within portfolios) - VG03.3 Develop and communicate evaluation criteria (for each category) - VG03.4 Assign weightings to criteria- VG03.5 Define requirements for stage-gates and other reviews (for each

category)

46

Example

Turnaround ModeSupport Mode

Strategic ModeFactory Mode

Turnaround ModeSupport Mode

Strategic ModeFactory Mode

Low

tohi

gh n

eed

forr

elia

ble

info

rmat

ion

tech

nolo

gy

Low to high need for new information technology

Nolan R., McFarlan F.W., 2005, Information Technology and Board of Directors, Harvard Business Review

VG01.1 Develop an understanding of significance of IT and role of governance

47

Change The Rule

Win The Race

Stay In The Race

Example

Transactional

Infrastructure

StrategicInformational

Increased salesCompetitive advantageCompetitive necessityMarket positioningInnovative services

Business integrationBusiness flexibility and agilityReduced marginal costs of business unit’s ITReduced IT costs over timeStandardization

Cut costsIncreased throughput

Increased controlBetter informationBetter integrationImproved quality

Investment budgetMajor business enablement

and infrastructure budgeteg. implementation SAP

Continuity budgetUpgrade or enhancement of

existing applicationseg. implementation of specific

reporting due to legal requirements

Maintenance budgetBreak/fix projects under eight

man weekseg. creation of new screens

Production budget

ICT

basi

c bu

dget +/- 50%

+/- 50%

+/- 33%

+/- 33%

+/- 33%

McKinsey

Weill

KBC

VG03.2 Define categories (within portfolios)

48

Example

VG03.3 Develop and communicate evaluation criteria (for each category)

NO IMPACT ON

MANAGEMENT

EFFECTIVENESS

NO URGENCYNO IMPACT ON COMPETITIVE

POSITION> 6< 200LOW

ONGOING SUPPORT

FOR OTHER MANAGEMEN

T

AVOID SMALL PROBLEMS IN OPERATIONAL

USAGE

IMPROVE PERFORMANCE

ON OTHER BUYING

FACTORS

4 – 6200 – 500MEDIUM

LOW

HIGH IMPACT FOR OTHER

MANAGEMENT

REDUCE WEEK POINTS IN CURRENT

OPERATIONS

IMPROVE PERFORMANCE SLIGHTLY ON

CUSTOMER KEY BUYING

FACTORS

2.5 – 4500 – 1000MEDIUM

OTHER SUPPORT FOR KEY DECISION MAKERS

ELIMINATE CRITICAL

OPERATIONAL HANDICAPS

IMPROVE PERFORMANCE ON CUSTOMER

KEY BUYING FACTORS FOR

OTHER SEGMENTS

1.5 – 2.51000 –2000

MEDIUM

HIGH

HIGH IMPACT SUPPORT FOR KEY DECISION MAKERS

DIRECT REACTION ON

EXTREME OPERATIONAL

RISK, CHANGED LEGAL OR

OPERATIONAL ENVIRONMENT,

EXTREME MAINTENANCE

RISK

IMPROVE PERFORMANCE SIGNIFICANTLY ON CUSTOMER

KEY BUYING FACTORS FOR

STRATEGIC SEGMENTS

< 1.5> 2000HIGH

DECISIONSUPPORT

OPERATIONALURGENCY

COMPETITIVEADVANTAGE

PROFITABILITY:

PAY BACK TIME

(YEARS)

NUMBER OF

PLANNEDMAN DAYS

BASIC CRITERIAPROJECT CLASS

PROJECTCLASS

Decision supportOperational urgency

HMHMMLLHMHMMLL

54321L54321L

43211ML54311ML

32111M53211M

21111MH53211MH

11111H52111H

Competitive advantageProfitablity

HMHMMLLHMHMMLL

55421L54321L

54311ML54321ML

44211M43321M

43211MH43211MH

32111H32211H

Proj

ect c

lass

Proj

ect c

lass

Proj

ect c

lass

Proj

ect c

lass

Sidmar-Arcelor

A 5 points on at least one criterion

Accept, high priority

B 4 points on profitability or 3 points on at least two criteria

Accept

C 3 points on profitability or total of 7 points

Accept if resources available

D 3 points on one criterion

Accept only if subcontractable

E All other projects

Decline

49

VG processes

• VG04 Align and integrate Value Management with enterprise financial planning:- VG04.1 Review current enterprise budgeting practices- VG04.2 Determine Value Management financial planning practice

requirements- VG04.3 Identify changes required- VG04.4 Implement optimal financial planning practices for Value

Management• VG05 Establish effective governance monitoring:

- VG05.1 Identify key metrics - VG05.2 Define information capture processes and approaches- VG05.3 Define reporting methods and techniques- VG05.4 Identify and monitor performance improvement actions

• VG06 Continuously improve Value Management practices- VG06.1 Implement lessons learnt

50

PM processes

• PM01 Establish strategic direction and target investment mix:- PM 1.1 Review and ensure clarity of business strategy and goals- PM 1.2 Identify opportunities for IT to support and influence the business

strategy- PM 1.3 Define appropriate investment mix- PM 1.4 Translate business strategy and goals into IT strategy and goals

• PM02 Determine the availability and sources of funds:- PM02.1 Determine overall investment funds

• PM03 Manage availability of human resources:- PM03.1 Create and maintain an inventory of business human resources- PM03.2 Understand the current and future demand (for business human

resources)- PM03.3 Identify shortfalls (between current and future business human

resource demand)- PM03.4 Create and maintain tactical plans (for business human resources)- PM03.5 Monitor, review and adjust (business function allocation and

staffing)- PM03.6 Create and maintain an inventory of IT human resources- PM03.7 Understand the current and future demand (for IT human

resources)- PM03.8 Identify shortfalls (between current and future IT human resource

demand) - PM03.9 Create and maintain tactical plans (for IT human resources)- PM03.10 Monitor, review and adjust (IT Function allocation and staffing)

51

IT Goals

Develo

ping i

nnov

ative

IT se

rvice

s with

a foc

us on

inform

ation

secu

rity

Fulfillin

g SLA

's with

busin

ess d

epart

ments

Increa

sing I

T depa

rtmen

t effic

iency

Integ

ration

and c

onso

lidati

on of

diffe

rent IT

depa

rtmen

tsIT di

saste

r rec

overy

and b

usine

ss co

ntinu

ity

IT gove

rnanc

e / IT

strat

egic

align

ment

IT mea

sures

to sa

tisfy

Basel

II req

uirem

ents

Loweri

ng co

st of

trans

actio

n proc

essin

g

Making

IT m

easu

rable

Optimizin

g the

IT in

frastr

uctur

e

Rapid

deve

lopmen

t of n

ew IT

servi

ces

Reduc

ing ex

terna

l staf

f

Standa

rdisin

g IT sy

stems

Business GoalsAchieving compliance with Basel II regulations S S PImproving competitiveness through IT P P S PImproving customer orientation and service P S P S S P SPost-merger integration and consolidation P S S S SReducing operational cost P P S S P P P P PReducing transaction cost P S S P P S SRisk management S P S S P P S P SShortening service development lifecycle S S PTailoring solutions for different target groups P S

Example

PM 1.4 Translate business strategy and goals into IT strategy and goals

52

PM processes

• PM04 Evaluate and select programmes to fund:- PM 4.1 Evaluate and assign relative scores to programme business cases- PM 4.2 Create overall investment portfolio view- PM 4.3 Make and communicate investment decisions- PM 4.4 Specify stages-gate and allocate funds to selected programmes- PM 4.5 Adjust business targets, forecasts and budgets

• PM05 Monitor and report on investment portfolio performance- PM 5.1 Monitor and report on portfolio performance

• PM06 Optimise investment portfolio performance- PM 6.1 Optimise portfolio performance- PM 6.2 Reprioritise the portfolio

53

Scoring investeringsdossiersATS Trekk.

ATSPnr Naam dossier

Ren

dem

ent

Aan

slui

ting

op

stra

tegi

e

Com

petit

ief

voor

deel

en

nood

zaak

Noo

dzaa

k

Ond

erst

euni

ng

man

agem

ent

Info

rmat

ie

arch

itect

uur

Ver

min

derin

g op

erat

ione

le

risic

o's

Pro

ject

risic

o &

or

gani

sato

risch

ris

ico

Func

tione

le

onze

kerh

eid

Tech

nisc

he

onze

kerh

eid

InvesteringsdossiersDoorlopende dossiers in 2004

RET MKT 0020 Intrest and liquidity risk (ALM_TDI) 1 5 4 5 5 5 5 2 5 5OND OND 0021 Quantitative Credit Risk Management (QCR) 4 5 5 5 5 5 1 4 5 5RET RET 0119 KBD : Multikanalen krediettoep. aan particulieren 4 5 4 3 3 5 5 2 1 1RET RET 0202 KIT 4 5 4 4 3 3 5 3 1 3RET RET 0232 Oleander (totaaloplossing Leven Ondernemingen) 1 5 5 1 3 5 3 3 1 2NAV NAV 0245 Collateral Management Fase 2 5 3 3 1 3 5 5 3 3 4BED BED 0292 Bankwijd Web-enablen van ICMtoepassingen 4 5 5 1 3 1 1 4 1 3NAV NAV 0397 IPE / EBOBA 1 5 4 1 3 5 3 4 5 4NAV NAV 0399 Verwerking OTC Derivaten 4 5 4 4 3 5 4 1RET RET 0403 VA Front-end LevenRET RET 0406 Product fabriek Schadeverzekeringen 2 5 4 1 1 5 3 4 1 3OND OND 0442 Operationeel Risicobeheer 5 5 5 5 5 3 5 3 3 3RET RET 0449 Herwerken cliënten output 5 5 4 5 1 5 5 3 5 2OND OND 0456 IAS Verzekeringen 4 5 4 5 5 3 3 4 5 3OND OND 0479 Beperking van de volatiliteit onder IAS 1 5 3 5 5 3 1 4 5 2OND OND 0501 ERP voor ondersteunende diensten B+VRET RET 0518 OFS (Ontwikkeling Financiele Services) 4 5 4 1 3 5 5 3 1 3

NieuweRET RET 0308 Migratie Centea 1 5 3 1 5 5 3 3 1 3OND OND 0480 Reconciliatietool 1 5 1 3 3 5 1 3 3RET RET 0884 Pleander Voorstudie Particulieren leven anders 1 5 5 2 3 5 3 2 5 2OND OND 0887 Europese Spaarfiscaliteit 1 5 4 3 3 5 4 5 1OND OND 0899 ERP - Fase 2 1 5 5 5 5 3 5 4 5 3

Geel Groen Rood

Risico'sWaardecategorie

PM 4.1 Evaluate and assign relative scores to programmebusiness cases

Example

54

Example

Financial Worth

vs.

RiskLegendLegend

Green = “Are” Risk score between 1 & 3.9

Yellow = “Are” Risk score between 4 & 6.9

Red = “Are” Risk score between 7 & 10

Right Things Confirmed Benefits

Right Way Done Well

Program

10

9

8

7

6

5

4

3

2

1

010 9 8 7 6 5 4 3 2 1 0

Overall RiskOverall Risk

Fina

ncia

l Wor

thFi

nanc

ial W

orth

Program 21Program 13

Program 03



Program 09

Program 01

Program 06

Program 23 Program 08

Program 11

Program 16

Program 12 Program 07

Program 15

Hold

Proceed

Stop

Source: Fujitsu

PM 4.2 Create overall investment portfolio view

55

IM processes

• IM01 Develop and evaluate initial programme concept business case:- IM01.1 Recognise investment opportunities - IM01.2 Develop initial programme concept business case- IM01.3 Evaluate initial programme concept business case

• IM02 Understand the candidate programme and implementation options:- IM02.1 Develop a clear and complete understanding of the candidate

programme- IM02.2 Perform alternatives analysis

• IM03 Develop the programme plan:- IM03.1 Develop a programme plan

• IM04 Develop full life-cycle costs and benefits:- IM04.1 Identify full life-cycle costs and benefits- IM04.2 Develop benefits realisation plan- IM04.3 Perform appropriate reviews and obtain sign-offs

• IM05 Develop the detailed candidate programme business case:- IM05.1 Develop detailed programme business case- IM05.2 Assign clear accountability and ownership- IM05.3 Perform appropriate reviews and obtain sign-offs

56

IM04.1 Identify full

life-cycle costs and

benefits

57

Example

Programme Outputs/

Capability

ISACA Strategic Objectives

Operational &Business Changes

Outcomes IntermediateBenefits End Benefits

Example - Enhanced web &E – commerceSystemFaster search engine

Example –Business Process Reengineeringe.g. Registration, Exams &certification

Example -More Automated Processes, Less outages

Example Improved Online selfHelp, reducedCalls for helpReducing costs

Example –CreateExpanded access toKnowledge &Networking Opportunities

ISACAStrategy MapE.G A07Enhance Community Experience

We are here on the Journey

LEGEND – Output describes a feature or enables a new outcomeOutcome is the desired operational resultBenefit is the measurement of an outcome and describes an advantage accruing from the outcome .An End Benefit is a direct contribution to a strategic objective.

IM04.2 Develop benefits realisation

plan

(example of a web2.0 programme)

58

Example

1. Cover sheetProgramme nameBusiness sponsorProgramme managerRevision notesValidation signaturesApproval signature

2. Executive summaryProgramme contextNameBusiness ssponsorTrack record of management teamCategory of investmentProgramme description/profileSynopsis of business case assessmentProgramme contribution (value)Programme timing (schedule)Risk, financial return and alignment scoresDependenciesKey risksComparative value summary

3. Are we doing the right things? (Why?)Financial benefits (full economic life cycle, best case, worst case, most likely case)Financial costs (full economic life cycle, full IT and business costs, best case, worst case, most likely case)Non-financial benefits (alignment)Non-financial (alignment, efficiency) costsRisk analysis (key risks and mitigation strategies)Organisational change impactImpact of not doing the programme - Opportunity cost

IM05.1 Develop detailed programme business case

59

Example4. Are we doing things the right way? (What and How?)Alternative approachesSelected approachHigh-level analytic modeProgramme milestonesCritical success factorsProgramme dependenciesEnterprise architecture complianceSecurity policy complianceKey risks

5. Are we doing things well? (How?)Programme execution planHigh-level benefits realisation planRisk managementChange managementGovernance structure (controls)Key risks

6. Are we getting the benefits?Description of benefits (projected life, full economic life cycle, best case, worst case, most likely, or base, case)High-level benefits registerFinancial benefitsKey risks

7. AppendicesDetailed analytic modelDetailed project planDetailed risk management planDetailed benefits realisation planFull benefits register

IM05.1 Develop detailed programme business case

60

IM processes

• IM06 Launch and manage the programme:- IM06.1 Plan projects, resource and launch the programme- IM06.2 Manage the programme- IM06.3 Track and manage benefits

• IM07 Update operational IT portfolios:- IM07.1 Update operational IT portfolios

• IM08 Update the business case:- IM08.1 Update the business case

• IM09 Monitor and report on the programme:- IM09.1 Monitor and report on programme (solution delivery) performance- IM09.2 Monitor and report on business (benefit/outcome) performance- IM09.3 Monitor and report on operational (service delivery) performance

• IM10 Retire the programme:- IM10.1 Retire the programme

61

VALIT Management Guidelines

Inputs / outputs

RACI

Goal & metrics

From Inputs Outputs* High-level business requirements Initial business case IM2 COBIT PO1COBIT PO5 COBIT AI1

PM1 Appropriate investment mix Initial business case approval IM3 IM4 IM6 COBIT PO1 COBIT PO10IM1 Initial business case COBIT AI1

COBIT PO1 IT services portfolioCOBIT PO5 IT cost-benefit estimatesCOBIT PO9 Risk assesment

To

Board

CEO

Com

pliance

, R

isk,

Audit

Secu

rity

In

vest

ment

and S

erv

ices

Board

Valu

e

Managem

ent

Off

ice

CFO

CIO

Busi

ness

Sponso

r

Pro

gra

mm

e

Manager

Pro

gra

mm

e

Managem

ent

Off

ice

Busi

ness

M

anagem

ent

Pro

ject

M

anagem

ent

Off

ice

Create an environment that fosters and welcomes new ideas and acknowledges their champions.

R A/R R R

Suggest new opportunities. R A/R R R R R R R

Capture opportunities for investment programmes to create value in support of the business strategy or to address operational or compliance issues.

C C C R C R A/R

Categorise the opportunity. Clarify expected business outcome(s) and identify, at a high level, business, process, people, technology and organisational initiatives required to achieve the expected outcomes.

C R C C A/R

Determine which opportunities to pursue further or examine in more depth, and identify and assign a business sponsor for each opportunity to be pursued.

C C C C C C A/R C

Describe the business outcome(s) to which the potential programme will contribute, the nature of the programme’s contribution, and how the contribution would be measured.

C C C A R R

Identify high-level initiatives that might be required to achieve these outcomes.

C C A R R

Estimate the high-level benefits, both financial and non-financial, and the costs for the full economic life cycle of the programme.

C C C A R R

State any key assumptions and identify key risks, along with their potential impact on current and future business operations, and mitigation strategies.

C C R A R R

Document the initial programme concept business case with information obtained.

C A R

Review and evaluate the initial programme concept business case.

C C C A R R R

Determine whether the programme should proceed to full programme definition and evaluation.

C C C A R R R

Obtain CIO approval and sign-off on the technical aspects of the initial programme concept business case.

I R A R

Obtain business sponsor approval and sign-off on overall initial programme concept business case. I A R

Activities

Functions

ACTIVITIES PROCESS IM

GO

ALS

• An environment that fosters and captures new ideas exists.• A process and responsibilities for submission and categorisation of new ideas exist and are used.• Champions of new ideas that are adopted are rewarded.• Outlines of potential business initiatives and their outcomes are identified.• High-level benefits and costs are identified for potential investment.• Significant risks, and assumptions and mitigation plans are documented.

• Individuals throughout the enterprise suggest new investment opportunities.• Ideas are collected, understood and categorised correctly for the investment portfolio.• Good ideas are selected efficiently and expediently for further study.• Good ideas are assigned business sponsors.• Documented initial concept business cases with outcomes, benefits, assumptions, costs and risks are prepared.• The content of initial programme

• Ensure that the enterprise’s individual IT-enabled investments contribute to optimal value.

MET

RIC

S

• Number of suggestions• Percentage of champions rewarded• Consistency and compliance of assessments and assumptions with enterprise’s processes and practices• Elapsed time between approval to prepare initial programme concept business case and sign-offs being obtained• Age and backlog of non-processed ideas• Number of programme concept business cases considered

• Percentage of ideas accepted to be developed into initial programme concept business cases• Number of new ideas per investment category• Number of ideas trying to bypass enterprise’s processes and practices• Number and percentage of sign-offs obtained without resubmission• Number and percentage of programme concept business cases that continue to full business case development

• Contribution of individual IT-enabled investments to optimal value

62

Roles & Responsibilities

Role Suggested definitionBoard The group of the most senior executives and/or non-executives of the enterprise,

who are accountable for the governance of the enterprise and have overall control of its resources

Business sponsor (incl. service owner)

The individual accountable for delivering benefits and value to the enterprise from an IT-enabled business investment programme

Business unit executives / managers

Business individuals with roles with respect to a programme

Compliance, audit, risk and security (CARS)

The function(s) in the enterprise responsible for compliance, audit, risk and security

Chief Executive Officer (CE0)

The highest ranking officer, who is in charge of the total management of the enterprise

Chief Financial Officer (CF0

The most senior official of the enterprise, who is accountable for financial planning, record keeping, investor relations and financial risks

Chief Information Officer (CIO)

The most senior official of the enterprise, who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information, and the deployment of associated human resources

Investment and services board (ISB)

A management structure primarily accountable for managing the enterprise’s portfolio of investment programmes and existing/current services and, thus, managing the level of overall funding to provide the necessary balance between enterprise-wide and specific line-of-business needs

Head of Human Resources

The most senior official of an enterprise who is accountable for planning and policies with respect to all human resources in that enterprise

Programme Manager

The individual responsible for the achievement of the programme’s objectives

Programme Management Office (PgMO)

The function responsible for supporting programme managers and gathering, assessing and reporting information about the conduct of their programmes and constituent projects

Project Management Office (PMO)

The function for supporting project managers; defining and propagating standardised methodologies; and gathering, assessing and reporting information about the conduct of their projects

Value Management Office (VMO)

The function that acts as the secretariat for the ISB in managing investment and service portfolios, including assessing and advising on investment opportunities and business cases, value governance/management methods and controls, and reporting on progress in sustaining and creating value from investments and services

63

Relational mechanisms(Peterson, 2003)

• Effective communications and knowledge sharing

• Active participation and collaboration of principle stakeholders

• Partnership rewards and incentives

• Business/IT collocation

• Cross-functional business/IT training and job rotation

• IT leadership

• …

64

IT governance international benchmarking

(“IT governance global status report”, ITGI, 2008)

IT governance implementation status

65

IT governance implementation by industry

(“IT governance global status report”, ITGI, 2008)

66

Agenda





67

Implementation of EGIT in practice

Requires:

A holistic set of

• Governance Processes• Structures• Relational Mechanisms

at all 3 layers of the organization.

Structures Processes


Relational mechanisms

68

“a list of 33 EGIT practices based on delphi research”

12 structures12 structures

11 processes11 processes

10 relational mechanisms10 relational mechanisms

69

EGIT: Practices identified & defined structures: 12 practices

xSteering committee at executive or senior managementLevel responsible for determining business priorities in ITinvestments.

IT steering committee (IT investment evaluation /prioritisation at executive / senior management level)

xCIO has a direct reporting line to the CEO and/or COOCIO (Chief Information Officer) reporting to CEO(Chief Executive Officer) and/or COO (ChiefOperational Officer)

xCIO is a full member of the executive committeeCIO on executive committee

xIndependent committee at level of board of directors overviewing (IT) assurance activities(IT) audit committee at level of board of directors

xMembers of the board of directors have expertise andexperience regarding the value and risk of ITIT expertise at level of board of directors

xCommittee at level of board of directors to ensure IT isregular agenda item and reporting issue for the board ofdirectors

IT strategy committee at level of board of directors

E/SB

LevelDefinitionBest Practice

70

EGIT: Practices identified & defined structures: 12 practices

xxDocumented roles & responsibilities includegovernance/alignment tasks for business and IT people (cf. Weill)

Integration of governance/alignment tasks in roles & responsibilities

xCommittee composed of business and IT people providingarchitecture guidelines and advise on their applications. Architecture steering committee

xSteering committee composed of business and IT peoplefocusing on IT related risks and security issuesIT security steering committee

xSteering committee composed of business and IT peoplefocusing on prioritising and managing IT projectsIT project steering committee

xFunction responsible for security, compliance and/or risk,which possibly impacts ITSecurity / compliance / risk officer

xFunction in the organisation responsible for promoting,driving and managing IT governance processesIT governance function / officer

E/SB


71

EGIT: Practices identified & defined processes: 11 practices

xFormal agreements between business and IT about IT development projects or IT operationsService level agreements

xMethodology to charge back IT costs to business units, to enable an understanding of the total cost of ownership

Charge back arrangements - total cost of ownership (e.g. activity based costing)

xxPrioritisation process for IT investments and projects in which business and IT is involved (incl. business cases)

Portfolio management (incl. business cases, information economics, ROI, payback)

xxIT performance measurement in domains of corporate contribution, user orientation, operational excellence and future orientation

IT performance measurement (e.g. IT balanced scorecard)

xxFormal process to define and update the IT strategyStrategic information systems planning

E/SB


72

EGIT: Practices identified & defined processes: 11 practices

xxFramework for internal controlCOSO / ERM

xxProcesses to monitor the planned business benefits during and after implementation of the IT investments / projects. Benefits management and reporting

xxProcesses to control and report upon budgets of ITinvestments and projects IT budget control and reporting

xProcesses and methodologies to govern and manage ITprojectsProject governance / management methodologies

xxRegular self-assessments or indepent assurance activitieson the governance and control over ITIT governance assurance and self-assessment

xProcess based IT governance and control frameworkIT governance framework COBIT

E/SB


73

EGIT: Practices identified & defined relational mechanisms: 10 practices

xBridging the gap between business and IT by means ofaccount managers who act as in-betweenBusiness/IT account management

xxSystems (intranet, …) to share and distribute knowledgeabout IT governance framework, responsibilities, tasks,etc.

Knowledge management (on IT governance)

xTraining business people about IT and/or training ITpeople about businessCross-training

xPhysically locating business and IT people close to eachotherCo-location

xIT staff working in the business units and business peopleworking in ITJob-rotation

E/SB


74

EGIT: Practices identified & defined relational mechanisms: 10 practices

xxCampaigns to explain to business and IT people the needfor IT governanceIT governance awareness campaigns

xxInternal corporate communication regularly addressesgeneral IT issues.

Corporate internal communication addressing IT on aregular basis

xxAbility of CIO or similar role to articulate a vision for IT'srole in the company and ensure that this vision is clearlyunderstood by managers throughout the organization

IT leadership

xInformal meetings, with no agenda, where business and ITsenior management talk about general activities,directions, etc. (eg. during informal lunches)

Informal meetings between business and ITexecutive/senior management

xSenior business and IT management acting as "partners"Executive / senior management giving the goodexample

E/SB


75

0,0 0,5 1,0 1,5 2,0 2,5 3,0 3,5 4,0 4,5 5,0

COSO / ERMJob-rotation

IT governance assurance and self-assessmentCo-location

Cross-trainingIT security steering committee

IT governance aw areness campaignsBenefits management and reporting

IT governance function / off icerArchitecture steering committee

IT expertise at level of board of directors(IT) audit committee at level of board of directors

Integration of governance/alignment tasks in roles&responsibilitiesKnow ledge management (on IT governance)

Security / compliance / risk off icerCharge back arrangements - total cost of ow nership (e.g. activity based costing)

IT governance framew ork COBITCorporate internal communication addressing IT on a regular basis

Service level agreementsIT strategy committee at level of board of directors

Business/IT account managementInformal meetings betw een business and IT executive/senior management

Strategic information systems planningExecutive / senior management giving the good example

IT leadershipIT performance measurement (e.g. IT balanced scorecard)

IT project steering committeeProject governance / management methodologies

Portfolio management (incl. business cases, information economics, ROI, payback)IT budget control and reporting

CIO on executive committeeCIO reporting to CEO and/or COO

IT steering committee (IT investment evaluation / prioritisation)

0 = not effective, 5 = very effective

Perceived effectiveness of EGIT practices

76

0,0 0,5 1,0 1,5 2,0 2,5 3,0 3,5 4,0 4,5

COSO / ERM

IT expertise at level of board of directorsBenefits management and reporting

Charge back arrangements - total cost of ow nership (e.g. activity based costing)Job-rotation

IT governance framew ork COBIT

IT governance assurance and self-assessmentIntegration of governance/alignment tasks in roles&responsibilities

Portfolio management (incl. business cases, information economics, ROI, payback)Know ledge management (on IT governance)

IT performance measurement (e.g. IT balanced scorecard)Executive / senior management giving the good example

Strategic information systems planningCross-training

IT leadershipProject governance / management methodologies

Co-location

IT governance function / off icerArchitecture steering committee

Service level agreementsIT governance aw areness campaigns

Business/IT account managementIT steering committee (IT investment evaluation / prioritisation)

IT strategy committee at level of board of directors (IT) audit committee at level of board of directors

CIO on executive committeeIT security steering committee

Corporate internal communication addressing IT on a regular basis

Informal meetings betw een business and IT executive/senior managementIT budget control and reporting

IT project steering committeeSecurity / compliance / risk off icer

CIO reporting to CEO and/or COO

0 = not easy to implement,, 5 = very easy to implement

Perceived ease of implementation of EGIT practices

77

4,94,84,7 S64,64,5 S54,4 S44,34,24,1 P3 P8 P9

4 P2 S93,9 R8/R63,8 P1 R5 S1 R73,73,63,5 P53,4 R93,3 P6/P4 S83,2 S12 R4 S33,1 S2 S11

32,9 P10 S72,8 P7 R3 R2 R10 S102,72,62,52,4 P11 R12,32,22,1

21,91,81,71,61,51,41,31,21,1

10,90,80,70,60,50,40,30,20,1

0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 1,0 1,1 1,2 1,3 1,4 1,5 1,6 1,7 1,8 1,9 2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7 2,8 2,9 3,0 3,1 3,2 3,3 3,4 3,5 3,6 3,7 3,8 3,9 4,0 4,1 4,2 4,3 4,4 4,5 4,6 4,7 4

Ease of implementation

Effe

ctiv

enes

s

S1 IT strategy committee at level of board of directors S2 IT expertise at level of board of directorsS3 (IT) audit committee at level of board of directorsS4 CIO on executive committee

S5CIO (Chief Information Officer) reporting to CEO (Chief Executive Officer) and/or COO (Chief Operational Officer)

S6IT steering committee (IT investment evaluation / prioritisation at executive / senior management level)

S7 IT governance function / officerS8 Security / compliance / risk officerS9 IT project steering committeeS10 IT security steering committeeS11 Architecture steering committeeS12 Integration of governance/alignment tasks in roles&responsibilitiesP1 Strategic information systems planningP2 IT performance measurement (e.g. IT balanced scorecard)

P3Portfolio management (incl. business cases, information economics, ROI, payback)

P4Charge back arrangements - total cost of ownership (e.g. activity based costing)

P5 Service level agreementsP6 IT governance framework COBITP7 IT governance assurance and self-assessmentP8 Project governance / management methodologiesP9 IT budget control and reportingP10 Benefits management and reportingP11 COSO / ERMR1 Job-rotationR2 Co-locationR3 Cross-trainingR4 Knowledge management (on IT governance)R5 Business/IT account managementR6 Executive / senior management giving the good example

R7Informal meetings between business and IT executive/senior management

R8 IT leadershipR9 Corporate internal communication addressing IT on a regular basisR10 IT governance awareness campaigns

Key minimum baseline IT governance practices

IT governance practices that are highly effective and easy to implement

IT governance practices that are highly effective but difficult to implement

IT governance practices whose value is

challenged

Hig

hLo

w

Difficult to implement Easy to implement

•IT steering committee •IT project steering committee•Having the CIO reporting to the CEO•Project management methodologies•Portfolio management• IT budget control and reporting•IT leadership

78

Assignment

EGIT practices in a case organisation

79

Rationale

IT strategy committee at level of board of directors 0 1 2 3 4 5IT expertise at level of board of directors 0 1 2 3 4 5(IT) audit committee at level of board of directors 0 1 2 3 4 5CIO on executive committee 0 1 2 3 4 5CIO reporting to CEO and/or COO 0 1 2 3 4 5IT steering committee (IT investment evaluation / prioritisation at executive / senior management level) 0 1 2 3 4 5IT governance function / officer 0 1 2 3 4 5Security / compliance / risk officer 0 1 2 3 4 5IT project steering committee 0 1 2 3 4 5IT security steering committee 0 1 2 3 4 5Architecture steering committee 0 1 2 3 4 5Integration of governance/alignment tasks in roles&responsibilit ies 0 1 2 3 4 5Strategic information systems planning 0 1 2 3 4 5IT performance measurement (e.g. IT balanced scorecard) 0 1 2 3 4 5Portfolio management (incl. business cases, information economics, ROI, payback) 0 1 2 3 4 5Charge back arrangements - total cost of ownership (e.g. activity based costing) 0 1 2 3 4 5Service level agreements 0 1 2 3 4 5IT governance framework COBIT 0 1 2 3 4 5IT governance assurance and self-assessment 0 1 2 3 4 5Project governance / management methodologies 0 1 2 3 4 5IT budget control and reporting 0 1 2 3 4 5Benefits management and reporting 0 1 2 3 4 5COSO / ERM 0 1 2 3 4 5Job-rotation 0 1 2 3 4 5Co-location 0 1 2 3 4 5Cross-training 0 1 2 3 4 5Knowledge management (on IT governance) 0 1 2 3 4 5Business/IT account management 0 1 2 3 4 5Executive / senior management giving the good example 0 1 2 3 4 5Informal meetings between business and IT executive/senior management 0 1 2 3 4 5IT leadership 0 1 2 3 4 5Corporate internal communication addressing IT on a regular basis 0 1 2 3 4 5IT governance awareness campaigns 0 1 2 3 4 5Other practicesGeneral remarks

Maturity

Organisation

80

Assignment

0 Non-existent There is a complete lack of any recognisable IT Governance process.

1 Initial/ad hocThe organisation has recognised that IT Governance issues exist and need to be addressed.

2 Repeatable but intuitiveThere is awareness of IT Governance objectives, and practices are developed and applied by individual managers.

3 Defined processThe need to act with respect to IT Governance is understood and accepted. Procedures have been standardised, documented and implemented.

4 Managed and measurableIT Governance evolves into an enterprise-wide process and IT Governance activities are becoming integrated with the enterprise governance process.

5 OptimisedEnterprise governance and IT Governance are strategically linked, leveraging technology and human and financial resources to increase the competitive advantage of the enterprise.

Assess the “As-Is” and “To-Be” EGIT situation in your organisation

81

Agenda





82

Business/IT Alignment

• Research concerning difficulties experienced by organisationswhile aligning business and IT.

- Expression barriers (lack of direction in business strategy)- Specification barriers (lack of IT involvement in strategy

development)- Implementation barriers (difficult integration of legacy

systems)

83


• Henderson and Venkatraman (SAM model)

Business Business StrategyStrategy

IS infrastructure and IS infrastructure and processesprocesses

Business Strategy IT Strategy

Organizational Infrastructure and

processesIS infrastructure and processes

Exte

rnal

Inte

rnal

Strategic fit

Business Information Technology

Business Business StrategyStrategy

IS infrastructure and IS infrastructure and processesprocesses

Business Strategy IT Strategy

Organizational Infrastructure and

processesIS infrastructure and processes

Exte

rnal

Inte

rnal

Strategic fit


Functional Integration

84

Strategic Alignment (Henderson and Venkatraman, 1993)

Businessstrategy

ITstrategy

Operationalinfrastructureand processes

ITinfrastructureand processes

External

Internal

Stra

tegi

c fit

Functional integration


85

Strategic Alignment model

Business strategy as the driver: strategy execution alignment perspectiveBusiness strategy is articulated and is the driverof both organizational and IT infrastructure design

Businessstrategy

ITstrategy



External

Internal

Stra

tegi

c fit



86

Business strategy as the driver: technology transformation alignment perspectiveImplementing the chosen business strategy through appropriateIT strategy and required IT infrastructure and processes

Businessstrategy

ITstrategy



External

Internal

Stra

tegi

c fit




87

IT strategy as the enabler: service level alignment perspectiveFocuses on how to build a world-class IT service organization

Businessstrategy

ITstrategy



External

Internal

Stra

tegi

c fit




88

businessinformation/

communication technology

strategy

structure

operations


• Maes (extension SAM model)

89

Assignment

Business / IT alignment assessment through business goals / IT goals

90

Assignment: linking business goals to IT goals

91

IT Goals

Develo

ping i

nnov

ative

IT se

rvice

s with

a foc

us on

inform

ation

secu

rity

Fulfillin

g SLA

's with

busin

ess d

epart

ments

Increa

sing I

T depa

rtmen

t effic

iency

Integ

ration

and c

onso

lidati

on of

diffe

rent IT

depa

rtmen

tsIT di

saste

r rec

overy

and b

usine

ss co

ntinu

ity

IT gove

rnanc

e / IT

strat

egic

align

ment

IT mea

sures

to sa

tisfy

Basel

II req

uirem

ents

Loweri

ng co

st of

trans

actio

n proc

essin

g

Making

IT m

easu

rable

Optimizin

g the

IT in

frastr

uctur

e

Rapid

deve

lopmen

t of n

ew IT

servi

ces

Reduc

ing ex

terna

l staf

f

Standa

rdisin

g IT sy

stems

Business GoalsAchieving compliance with Basel II regulations S S PImproving competitiveness through IT P P S PImproving customer orientation and service P S P S S P SPost-merger integration and consolidation P S S S SReducing operational cost P P S S P P P P PReducing transaction cost P S S P P S SRisk management S P S S P P S P SShortening service development lifecycle S S PTailoring solutions for different target groups P S

Linking business goals – IT goals

92

Aligning business goals and IT goals

• UAMS-ITAG/ITGI research:- Previous research

• 20 business goals and 28 IT goals• Across multiple sectors

- This study• Validate business and IT goals• Gain insight in priorities for different sectors• Examine relationship between IT goals and business goals

93


• Delphi methodology:- Structured process for collecting and distilling knowledge

from a group of experts by means of several research rounds.

• 158 business and IT people

• 5 sectors - Manufacturing and pharmaceuticals, IT professional services,

telecommunications and media, government, utilities and healtcare, and retail and transportation.

94


95


1. ALIGN THE IT STRATEGY TO THE BUSINESS STRATEGY

2. MAINTAIN THE SECURITY (CONFIDENTIALITY, INTEGRITY AND AVAILABILITY) OF INFORMATION AND PROCESSING INFRASTRUCTURE

3. MAKE SURE THAT IT SERVICES ARE RELIABLE AND SECURE

4. PROVIDE SERVICE OFFERINGS AND SERVICE LEVELS IN LINE WITH BUSINESS REQUIREMENTS

5. PROVIDE IT COMPLIANCE WITH LAWS AND REGULATIONS

6. TRANSLATE BUSINESS FUNCTIONAL AND CONTROL REQUIREMENTS IN EFFECTIVE AND EFFICIENT AUTOMATED SOLUTIONS

7. DELIVER PROJECTS ON TIME AND ON BUDGET MEETING QUALITY STANDARDS

8. DRIVE COMMITMENT AND SUPPORT OF EXECUTIVE MANAGEMENT

9. IMPROVE IT’S COST-EFFICIENCY10. ACCOUNT FOR AND PROTECT ALL IT ASSETS

1. IMPROVE CUSTOMER ORIENTATION AND SERVICE

2. COMPLY WITH EXTERNAL LAWS AND REGULATIONS

3. ESTABLISH SERVICE CONTINUITY AND AVAILABILITY

4. MANAGE (IT RELATED) BUSINESS RISKS5. OFFER COMPETITIVE PRODUCTS AND

SERVICES6. IMPROVE AND MAINTAIN BUSINESS PROCESS

FUNCTIONALITY7. PROVIDE A GOOD RETURN ON INVESTMENT

OF (IT ENABLED) BUSINESS INVESTMENTS8. ACQUIRE, DEVELOP AND MAINTAIN SKILLED

AND MOTIVATED PEOPLE9. CREATE AGILITY IN RESPONDING TO

CHANGING BUSINESS REQUIREMENTS10. OBTAIN RELIABLE AND USEFUL

INFORMATION FOR STRATEGIC DECISION MAKING

TOP 10 PRIORITIZED LIST OF IT GOALSTOP 10 PRIORITIZED LIST OF BUSINESS GOALS

96

IT Goals Busines

s Goals

1. Im

prove

custo

mer ori

entat

ion an

d serv

ice

2. Prov

ide co

mplian

cy w

ith ex

terna

l laws a

nd re

gulat

ions

3. Esta

blish

servi

ce co

ntinu

ity an

d ava

ilabil

ity

4. Man

age (

IT relat

ed) b

usine

ss ris

ks

5. Offe

r com

petiti

ve pr

oduc

ts an

d serv

ices

6. Im

prove

and m

aintai

n bus

iness

proc

ess f

uncti

onali

ty

7. Prov

ide a

good

retur

n on i

nves

tmen

t of (I

T enab

led) b

usine

ss in

vestm

ents

8. Acq

uire,

deve

lop an

d main

tain s

killed

and m

otiva

ted pe

ople

9. Crea

te ag

ility in

resp

ondin

g to c

hang

ing bu

sines

s req

uirem

ents

10. O

btain

reliab

le an

d use

ful in

formati

on fo

r stra

tegic

decis

ion m

aking

11; A

chiev

e cos

t opti

misatio

n of s

ervice

deliv

ery

12. O

ptimise

busin

ess p

roces

s cos

ts

13. E

nable

and M

anag

e bus

iness

chan

ge

14. Im

prove

and m

aintai

n ope

ration

al an

d staf

f prod

uctiv

ity

15. Im

prove

finan

cial tr

ansp

arenc

y

16. P

rovide

compli

ancy

with

inter

nal p

olicie

s

17. Id

entify

, ena

ble an

d man

age p

roduc

t and

busin

1. Align the IT strategy to the business strategy P S S P P P S S P P S S P S S S P2. Maintain the security (confidentiality, integrity and avaliability) of information and processing infrastructure P P P P S S P3. Make sure that IT services are reliable and secure P P P P S S S S S S S S4. Provide service offerings and service levels in line with business requirements P P S P P S S S S S S S S S5. Provide IT compliancy with laws and regulations S P P S S S P6. Translate business functional and control requirements in effective and efficient automated solutions S S S S P S S S S S S S S S7. Deliver projects on time and on budget meeting quality standards S S S S S S S S S S8. Drive commitment and support of executive management S S S S S S S S S S9. Improve IT’s cost-efficiency S P P P S10. Account for and protect all IT assets S S S S S S11. Acquire, develop and maintain IT skills that respond to the IT strategy S S P S S S S S12. Provide IT agility (in responding to changing business needs) S S S S P P S13. Offer transparency and understanding of IT cost, benefits and risks S S S S P14. Optimise the IT infrastructure, resources and capabilities S S P S P S S15. Accomplish proper use of applications, information and technology solutions S S S S S S S S S S S S S16. Seamlessly integrate applications and technology solutions into business processes S S P S S S S S S S S17. Ensure that IT demonstrates continuous improvement and readiness for future change S S S P S P18. Acquire knowledge and expertise in emerging technologies for business innovation and optimisation S S P S S S S P

97

Luftman assessment of business/IT alignment maturity

• Validated instrument• Used in many studies to assess business/IT alignment• 6 attributes

- Communications maturity- Competency/value measurements maturity- Governance maturity- Partnership maturity- Scope & architecture maturity- Skills maturity

98

attribute characteristics level 1 characteristic level 5

•communications maturity• understanding of business by IT minimum pervasive• understanding of IT by business minimum pervasive• inter/intra-organizational learning casual, ad hoc strong and structured• protocol rigidity command and control informal• knowledge sharing ad hoc extra-enterprise• liaison(s) breath/effectiveness none or ad hoc extra-enterprise

• competency/value measurements maturity• IT metrics technical extended to external partners• business metrics ad hoc extended to external partners• balanced metrics ad hoc, unlinked business, partner and IT metrics• service level agreements sporadically present extended to external partners• benchmarking not generally practiced routinely performed with partners• formal assessments/reviews none routinely performed• continuous improvement none routinely performed

• governance maturity• business strategic planning ad hoc integrated across & external• IT strategic planning ad hoc integrated across & external• reporting/organization structure CIO reports to CFO CIO reports to CEO

central/decentral federated• budgetary/control cost center, erratic investment center, profit center• IT investment management cost based, erratic business value• steering committee(s) not formal, regular partnership• prioritization process reactive value added partner

99

attribute characteristics level 1 characteristic level 5•partnership maturity

• business perception of IT value IT perceived as a cost IT co-adapts with business• role of IT in strategic business planning no seat at business table co-adaptive with business• shared goals, risk, rewards/penalties IT takes risk risks and rewards shared• IT program management ad hoc continuous improvement• relationship/trust style conflict/minimum valued partnership• business sponsor/champion none at the CEO level

• scope & architecture maturity• traditional, enabler/driver traditional systems business strategy driver/enabler• standards articulation none or ad hoc inter-enterprise standards• architectural integration: no formal integration evolve with partners

• functional organization integrated• enterprise standard enterprise architecture• inter-enterprise with all partners

• architectural transparency, flexibility none across the infrastructure

• skills maturity• innovation, entrepreneurship discouraged the norm• locus of power in the business all executives, including CIO • management style command and control relationship based• change readiness resistant to change high, focused• career crossover none across the enterprise• education, cross-training none across the enterprise• attract & retain best talent no program effective program for

100

Example questions(partnership maturity)

IT is perceived by the business as: 1 A cost of doing business2 Emerging as an asset3 A fundamental enabler of future business activity4 A fundamental driver of future business activity5 A partner for the business that co-adapts/improvises in bringing value to the firm6 N/A or don’t know

The following statements are about the IT and business relationship and trust.1 There is a sense of conflict and mistrust between IT and the business.2 The association is primarily an “arm’s length” transactional style of relationship.3 IT is emerging as a valued service provider.4 The association is primarily a long-term partnership style of relationship.5 The association is a long-term partnership and valued service provider.6 N/A or don’t know

The following statements are about the cultural locus of power in making IT-based decisions. Our important IT decisions are made by:1 Top business management or IT management at the corporate level only2 Top business or IT management at corporate level with emerging functional unit level

influence3 Top business management at corporate and functional unit levels, with

emerging shared influence from IT management4 Top management (business and IT) across the organization and emerging

influence from our business partners/alliances.5 Top management across the organization with equal influence from our

business partners/alliances.6 N/A or don’t know

101

Business / IT alignment international benchmark

0

0,5

1

1,5

2

2,5

3

3,5

4

4,5

5

Retail

trans

porta

tion

Hotel/e

nterta

inmen

tServ

ices

Insura

nce

Manufac

turing

Health

Chemica

lFina

ncial

Govern

ment

Oil/Gas

/Mining

Utilities

Pharm

aceuti

cal

Educa

tiona

lOve

rall A

verag

e

Alignment

102

Business / IT alignment Belgian benchmark

• Result of alignment benchmark research• 10 Belgian financial enterprises:

Organisation

Number of employees in Belgium Main activities

A More than 1000 Banking and InsuranceB Between 100 and 1000 Banking and InsuranceC More than 1000 BankingD More than 1000 BankingE More than 1000 Banking and InsuranceF More than 1000 Financial transaction servicesG Between 100 and 1000 Banking and InsuranceH Between 100 and 1000 Baking and InsuranceI More than 1000 Banking and InsuranceJ More than 1000 Banking and Insurance

103

G

F<< A B C D E H I J >>

1,0 1,1 1,2 1,3 1,4 1,5 1,6 1,7 1,8 1,9 2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7 2,8 2,9 3,0 3,1 3,2 3,3 3,4 3,5 3,6 3,7 3,8 3,9 4,0

Organisation

Total number of respondents

Number of IT respondents

Number of business

respondents

Average maturity score

by IT

Average maturity score

by business Delta

Total Alignment

maturity ScoreA 9 5 4 2,06 2,14 -0,07 2,10 -0,59 -22%

B 5 3 2 2,27 2,00 0,27 2,16 -0,52 -19%

C 9 3 6 2,59 2,55 0,05 2,56 -0,12 -5%

D 6 3 3 2,98 2,35 0,64 2,67 -0,02 -1%

E 9 5 4 2,69 2,74 -0,05 2,71 0,03 1%

F 8 3 5 3,15 2,46 0,69 2,72 0,04 1%

G 10 5 5 2,75 2,73 0,03 2,74 0,06 2%

H 9 6 2 2,89 2,95 -0,06 2,91 0,22 8%

I 8 5 4 3,23 2,97 0,26 3,11 0,43 16%

J 11 6 5 3,09 3,26 -0,17 3,17 0,48 18%

Total Total Total Average84 44 40 2,69

Deviation from average

Business / IT alignment Belgian benchmark

104

The relationship between EGIT practices and business / IT alignment

• Research on extreme cases • Interviews/workshops to

define maturity of 33 governance practices

CIOHead Accounting

J

Head IT GovernanceHead IT DevelopmentHead Project Management Office

I

CEOChange Manager

B

Adjunt-director Organization DepartmentService delivery managerDirector Organization Department

A

IntervieweesOrganization

105

0 Non-existent There is a complete lack of any recognisable IT Governance process.

1 Initial/ad hocThe organisation has recognised that IT Governance issues exist and need to be addressed.

2 Repeatable but intuitiveThere is awareness of IT Governance objectives, and practices are developed and applied by individual managers.

3 Defined processThe need to act with respect to IT Governance is understood and accepted. Procedures have been standardised, documented and implemented.

4 Managed and measurableIT Governance evolves into an enterprise-wide process and IT Governance activities are becoming integrated with the enterprise governance process.

5 OptimisedEnterprise governance and IT Governance are strategically linked, leveraging technology and human and financial resources to increase the competitive advantage of the enterprise.

Defining maturity of 33 EGIT practices

106

A B I JS1 0 0 0 0S2 4 1 0 1S3 3 3 3 3S4 2 5 2 0S5 2 5 4 5S6 2 2 4 4S7 2 0 4 4S8 2 3 4 5S9 2 2 4 4S10 0 0 0 4S11 0 0 1 3S12 2 1 2 5P1 1 2 1 4P2 1 2 4 4P3 1 2 4 4P4 0 0 2 5

P5 0 0 2 4P6 0 0 1 4P7 1 0 1 1P8 2 3 3 4P9 1 2 4 5P10 0 1 1 3P11 0 0 0 0R1 1 0 1 2R2 5 2 3 3R3 2 0 2 1R4 3 3 4 4R5 2 0 0 4R6 2 2 5 5R7 2 0 0 0R8 1 4 4 4R9 2 0 2 3R10 1 1 1 1

1,48 1,39 2,21 3,12

107

The relationship between EGIT and business/IT alignment

0,000,501,001,502,002,503,003,504,00

Structures Processes Relationalmechanisms

JIBA

G

F<< A B C D E H I J >>1,8 1,9 2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7 2,8 2,9 3,0 3,1 3,2 3,3 3,4 3,5 3,6

Business/IT alignment maturity

Maturity of IT governance

practices

108

The relationship between EGIT and business / IT alignment

• Maturity averages• Clear gap between A-B and I-J

00,5

11,5

22,5

33,5

A B I J

109

0

1

2

3

4

5

6

S1 S4 S5 S6 S9 P1 P3 P8 P9 R8

JA

Extreme cases analysisEGIT practices versus

business / IT alignment

00,5

11,5

22,5

33,5

A B I J

Average IT goverancepractices maturity

0

1

2

3

4

5

6S

1 S2

S3

S4

S5

S6 S7

S8 S9 S10

S11

S12

P1

P2 P3

P4

P5

P6

P7

P8 P9 P10 P11

R1

R2

R3

R4

R5

R6

R7

R8

R9

R10

J

A

0,000,501,001,502,002,503,003,504,00

Structures Processes Relationalmechanisms

JIBA

110

Agenda





111

From enterprise governance of IT to business value


Business / IT alignment

Business value from IT investments

enables enables

112

Business/IT alignment and Business Value from IT

• Why is alignment important to anorganization’s success?- Research from Chan and

Bergeron: impact of alignment on business performance is higher than impact of business strategy or IT strategy

- Productivity paradox (Brynjolfson)

113

What is the relationship between organizational performance and IT governance practices based on COBIT 4.1 and Val IT

2.0?

Research scope and model

• Research model and metrics use the available concepts from COBIT and Val IT.

• Three research constructs- COBIT and Val IT processes

measured by the implementation status of 34 COBIT processes and 22 Val IT processes

- Technical, operational and business capabilitiesmeasured by the achievement status of 18 IT goals

- Business Outcomemeasured by the achievement status of 17 business goals and 3 Val IT goals

114

Questionnaire - Sample question

115

Reserach Model

COBIT and Val IT Processes

IT Goals

Business Goals

Business OutcomeMeasured by

Business Goals achievement status

Bu

sin

ess

/IT

Alig

nm

en

t

Technical Capabilitymeasured by

IT Goals achievement status

IT related Business capabilitymeasured by

IT goals achievement status

Operational Capabilitymeasured by


IT and Business Governance Practices

COBIT Processes measured by

Processes implementation status

Val IT processesmeasured by


116

Research questions

• RQ1: Does the implementation of COBIT processes and Val IT processes have an impact on the achievement of IT goal capabilities (technical, operational and business capabilities)?

• RQ2: Which subset of COBIT and Val IT processes impacts the capabilities the most?

• RQ3: Do the IT goal capabilities have an impact on the achievement of business outcome (business goals)?

• RQ4: Which IT goal capabilities impact business outcome most?

• RQ5: Ultimately, does a cascaded relationship exists between the COBIT/Val IT governance practices, the intermediate capabilities (IT goals), and the business outcome (business goals)? .

117

Research questions

• RQ6: what is the implementation status of COBIT and Val IT processes, spread over different sectors, company sizes and regions

• RQ7: what is the degree of achievement for IT goals and business goals, spread over different sectors, sizes and regions

• RQ8: Are the detailed business goals – IT goals – IT processes matrices as published in COBIT 4.1 confirmed?

118

Key findings

• The research model cascade is validated:1. A strong correlation between the implementation of COBIT and

VALIT and the achievement of IT goals2. A strong correlation between the achievement of IT goals and

the achievement of business goals• Operational oriented processes are better implemented than

planning, monitoring and value related processes. • Implementation status of the COBIT and Val IT frameworks is

typically higher in - Larger organisations- Organisations from the Financial, Manufacturing and Retail

sector - European and North American organisations.

• Knowing-Doing Gap: Organisations are aware of the importance of IT goals such as ‘Align the IT strategy to the business strategy’ but in practice do not manage to achieve them in a proper way.

• New empirically researched data is available to further develop the IT governance body of knowledge and its related frameworks COBIT and Val IT

119

The validated research cascade model

COBIT and Val IT Processes

IT Goals

Business GoalsBusiness Outcome

Measured byBusiness Goals achievement status

Technical Capabilitymeasured by


IT related Business capabilitymeasured by

IT goals achievement status

Operational Capabilitymeasured by


IT and Business Governance Practices

COBIT Processes measured by


Val IT processesmeasured by


1

2

120

Implementation status IT processes

• Operational oriented processes (AI and DS) are better implemented than planning (PO) monitoring (ME) processes.

• COBIT processes are better implemented than Val IT processes

2,502,602,702,802,903,003,103,203,303,403,50

COBITPO

COBITAI

COBITDS

COBITME

COBITTotal

Val ITVG

Val ITPM

Val IT IM

VAL ITTotal

121

Knowing-doing gap

• Comparing achievement results (this study) and importance results (previous study)

• Differences confirm knowing-doing gap- IT goal ‘Align the IT strategy to the business strategy’ was

ranked as the most important goal (rank 1) in previous research but only ranked 7th regarding actual achievement status

- IT goal ‘provide IT compliance with laws and regulations’ was ranked on the 5th place in terms of importance, but received the highest rank for achievement status

122

Summary - High impact implemented processes / achieved

IT goals relation

• 7 high impact COBIT processes• 5 high impact Val IT processes• 4 high impacted IT Goals

High impact COBIT processes- Define a Strategic IT plan (PO1)- Manage the IT investment (PO5)- Communicate Management Aims and Direction (PO6)- Assess and manage IT risks (PO9)- Identify Automated Solutions (AI1)- Acquire and Maintain Application Software (AI2)- Acquire and Maintain Technology Infrastructure (AI3)

High impacted IT Goals- Align the IT strategy to the business strategy (IT_Corp6)- Provide service offerings and service levels in line with business requirements (IT_User1)- Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1)- Ensure that IT demonstrates continuous improvement and readiness for future change (IT_Fut3)

High impact Val IT processes- Define and Implement Processes (VG2)- Establish Effective Governance Monitoring (VG5)- Continuously Improve Value Management Practices (VG6)- Establish Strategic Direction and Target Investment Mix (PM1)- Update Operational IT Portfolios (IM7)

123

Summary - High impact achieved IT goals / achieved

Business Goals relation

• 8 high impact IT Goals• 6 high impacted Business Goals

High impact IT Goals- Improve IT’s cost-efficiency (IT_Corp5)- Align the IT strategy to the business strategy (IT_Corp6)- Translate business functional and control requirements in effective and efficient automated solutions (IT_User3)- Accomplish proper use of applications, information and technology solutions (IT_User4)- Provide IT agility (in responding to changing business needs) (IT_Oper4)- Seamlessly integrate applications and technology solutions into business processes (IT_Oper5)- Acquire, develop and maintain IT skills that respond to the IT strategy (IT_Fut1)- Ensure that IT demonstrates continuous improvement and readiness for future change (IT_Fut3)

Highly impacted Business Goals–-Achieve cost optimisation of service delivery (B_Cust4)–-Obtain reliable and useful information for strategic decision making (B_Cust6)–-Improve and maintain business process functionality (B_Int1)–-Improve and maintain operational and staff productivity (B_Int2)–-Enable and Manage business change (B_Int3)–-Optimise business process costs (B_Int5)

124

Input COBIT 4.1 developmentMapping COBIT 4.1 / correlation matrix business goals – IT Goals

125

Input COBIT 4.1 developmentMapping COBIT 4.1 / correlation

matrix IT goals – COBIT processes

126

• Questions and discussion

• More information

- IT Governance and Alignment Research Institute• www.uams.be/ITAG

- Email• [email protected]• [email protected]

- Books• Van Grembergen W., De Haes S., Implementing

Information Technology Governance: models, practices and cases, 255p., IGI Publishing, 2008

• Van Grembergen W., De Haes S., Enterprise Governance of IT: achieving strategic alignment and value, 360p., Springer, 2009

- International Journal on IT/Business Alignment and Governance (IJITBAG)

• www.igi-global.com/IJITBAG

enterprise governance of it · bsc, information economics, sla, cobit, val it, itil, it alignment /...

Documents