Governance of the IT Function

Chapter 9

2

Key Learning Objectives

–Understand the concepts of enterprise governance and IT governance, and the connection between the two–Understand the need for IT governance and the potential benefits of good IT governance–Recognize the primary domains of IT governance and learn about effective approaches for developing an IT governance framework

3

Governance of a business enterprise

• The process of structuring, operating, and controlling the organization

• With a view to achieving its long term strategic goals, serving the interests of its various stakeholders, and complying with legal and regulatory requirements

4

IT governance

• Same as management issues…– Resource allocation choices, risk and

return trade-offs, and alignment of goals

• Different in the level of these issues…– Overarching and integrated approach,

addressing broad themes

5

Agenda

• The essentials of enterprise governance

• The impetus for better IT governance

• Benefits of effective IT governance• The scope and practice of IT

governance• Designing IT governance: critical

success factors and good practices

6

The essentials of enterprise governance

• Agency problem– Physical separation between the owners of a

company and its managers (or agents) provides those managers the opportunity to act in ways that are advantageous to themselves but detrimental to the interests of the owners

• Conformance (control and monitor)– A board of directors intended to oversee

organizational strategies, structures, and system on behalf of the shareholders

– An external auditor who should offer insight into the reliability of the company’s financial statements

– Sufficient??

7

Governance is…

• The process of establishing lines of responsibility, authority, and communications

• As well as policies, standards, measurement, and internal control mechanisms that guide people in fulfilling their roles and responsibilities

• Can be implemented by management, through different kind of control systems, to maintain or alter patterns of organizational behaviour

8

Control system• Traditionally (one way)

– Used to measure critical performance variables– Focus on outcome

• Additional governance mechanisms– Value management systems

• Strengthen and sustain commitment to core organisational values

– Risk management system• Delineate the boundaries between acceptable and

unacceptable risks and standards of business conduct– Strategic control systems

• Focus on communicating and implementing the organisation’s strategy, while encouraging debate about that strategy intended to stimulate learning and growth

– Balance between innovation and control, and ensure the successful achievement of profit goals and strategies

9

The benefit of good enterprise governance

• Affect a company’s share price or its cost of raising capital– E.g. international start-up companies

apply robust governance requirements to go public aboard

– Private companies and non-profit organizations relies on external resources such as debt-financing or foundation support

10

Introducing IT governance

• The purpose– Ensure that the resources accorded to an

initiative are appropriate for the risk and return anticipated from that initiative and that the initiative aligns with organisational goals

• Ways to ensure the IT function supports and advances the strategies and objectives of the overall organization

• Procedures to involve relevant stakeholders in critical IT decision

11

The impetus for better IT governance

• Practice of more formally monitoring and measuring the use of IT assets is recent– The critical contributions of information and

IT to contemporary organizations have focused attention on ways to better manage potential risks and desire returns in this domain

– Companies seek to establish and improve general governance, risk management, and compliance practices(GRC), attention to the role of IT

12

• The business value of IT• A major goal of IT governance: ensure It creates

value for the organization– Often ill-prepared to explain how IT contribute to

strategic value and productivity gains• Different levels

– Measure day-to-day efficiency and effectiveness of IT

– Help achieve a central aspiration of many companies: greater alignment of IT with the business• Facilitating innovation, underpinning new

products and services or reaching new customers

• “decrease cost” and “improve business models” transition– Establish procedures and criteria for evaluating,

prioritizing and monitoring the major IT investments

13

• Recognition of IT impact

• No “black box” approaches• Involve IT, business customers, and

other corporate functions

14

• IT as an enabler of corporate governance and compliance

• Regulations – governing financial accountability,

financial risk management and recovery from disaster• Disclosure of business information• Financial reporting process

– Data retention– Information protection

• Anti-terrorism

15

Benefits of effective IT governance

• Generate better returns for their shareholders than equivalent organizations with ineffective IT governance– Cost reduction, improved customer

satisfaction, greater security, enhanced alignment between IT and business, revenues,

– profits, customer retention level

16

IT-related problems that can be addressed by better IT governance• A disconnect between IT strategy and business strategy• IT not meeting or supporting compliance requirements• High cost of IT with low or unproven return on investment

(ROI)• Serious IT operational incidents• IT service delivery problems• Insufficient number of staff• Staff with inadequate skills• Problems with outsourcers• Lack of agility/development problems• Problems with document content or knowledge management• Inadequate disaster recovery or business continuity measures• Electronic archiving or storage problems• Security and privacy incidents

17

The scope and practice of IT governance

• Elements of a governance system– Leadership roles, organizational structures, business

processes, standard, and measures of compliance to these standards

– Involve the whole organization

• Aim– Shape decisions concerning IT use in the organisation– Determine criteria by which to assess conformance to

these decisions– Define mechanisms by which these decisions can be

communicated, implemented, and enforced throughout the organization

18

• IT-business alignment

• IT strategy to be developed in parallel with business strategy, rather than in response to it

• IT steering committee/IT strategy committee– Both IT and business executives

19

• Investment Value

• Define processes to ensure the involvement of all relevant stakeholders, including IT manager, business unit leaders, functional representative, and the board

• The board may be directed to review IT budgets and plans on a regular basis

• Define standard procedure for determining the business worth and risk of IT-enabled business investments

20

• Project delivery

• Determining responsibilities sand accountability together with accompanying processes, standards, and measures to ensure that projects conform to architectural standards, meet business objectives, and deliver on their promised benefits in a cost-effective manner– Define standard project management– Identify critical project management skills– Establish levels of approval and project milestones to control

the disbursement of funding

• Balance between – Reduce project risk by reducing variance in the project

implementation process– Allows the right amount of flexibility that will yield more

effective results

21

• Service delivery

• Specifying structures, roles, and techniques for managing and controlling IT services– Cost transparency mechanisms– Service-level agreement

22

• Resource management

• How IT assets and resources, including staff, are utilized

• Define structure, criteria, and processes for making decisions regarding the outsourcing of particular skills, technologies, or IT capabilities

23

• Measurement of IT performance

• Designing and implementing structures and controls for measuring IT performance reliably and in terms that are valuable to the business and external stakeholders– Balanced scorecard technique• Different dimensions such as achievement

of business goals, user satisfaction, operational excellence, and support for learning and growth

24

Source: eetodorov.comAdapted from Robert S. Kaplan and David P. Norton, “Using the Balanced Scorecard as a Strategic Management System,” Harvard Business Review (January-February 1996): 76.

25

• Risk management

• IT risks– A lost of service, inappropriate access to

confidential or sensitive information, the risk that infrastructure is inadequate to meet the current and future needs of the business in a cost-effective and timely manner

• Risk management may involve– Identifying various possible sources of risk,

determining acceptable level of each type of risk, defining metrics for monitoring and measuring each type of risk, instituting internal processes and roles to address unacceptable changes in the level of each type of risk

26

Designing IT governance: critical success factors and good practices

• No single best model of IT governance

• Should account for the size, industry, strategic goals, organizational culture, and local environment of the enterprise

27

• Intentional but minimalist design– No overly complicated procedures or excessive monitoring

and reporting– Not meet all possible goals, focus on conflicting goals

• Board-level leadership– Only 12% had implemented board-level oversight

mechanisms for IT resources

• Broad-based executive involvement– C-level executives

• Clear ownership but broad participation– The board should be ultimately responsible for all

governance– Designate an individual/group to be accountable for the

design, implementation, and performance of IT governance (e.g. CIO, CEO or CFO)

28

• Enforce execution but accommodate exception– Transparent exception handling process

• Define benefits and target expectation– ROI metric is neither feasible nor justified– Indicators should be meaningful for both IT and the

business, and are linked to business and IT goal

• Aim for evolution not revolution in implementation– Link IT governance to key business objectives, such

as cost reduction, innovation, agility, simplification, customer satisfaction, and compliance