Current approaches to IT governance - UiO
Transcript of Current approaches to IT governance - UiO
1 Lars Groth INF5890 IT governance
IINF5890
Current approaches to
IT governance
Lars Groth
2 Lars Groth INF5890 IT governance
Corporate negligence and regulatory failure was the root causes of the July Quebec train derailment and explosion, according to a study released by the Canadian Centre for Policy Alternatives (CCPA).
3 Lars Groth INF5890 IT governance
First traces in 1962 og 63
Ph. M. Thurston: ”Who Should Control Information Systems?”
– Harvard Business Review, November-december 1962
J. T. Garrity: ”Top Management and Computer Profits” – Harvard Business Review, July-August 1963
4 Lars Groth INF5890 IT governance
5 Lars Groth INF5890 IT governance
Most people point to Venkatraman: L. Loh og N. Venkatraman:
– Diffusion of Information Technology Outsourcing: Influence Sources and the Kodak Effect, Information Systems Research, 4, 1992
J. C. Henderson og Venkatraman: – Strategic alignment: Leveraging information technology for transforming
organizations, IBM Systems Journal, 1, 1993
6 Lars Groth INF5890 IT governance
1993
7 Lars Groth INF5890 IT governance
Basically, it is quite simple:
It si about making sure that information technology provides the best possible support for the enterprise in delivering what it is there to deliver
Then it is about managing that technology in a prudent and professional way, just as any other asset class
“Good IT governance isn’t rocket science, but it requires discipline and commitment.
– Craig Symons, Forrester Research
8 Lars Groth INF5890 IT governance
Organization and systems are interwoven
9 Lars Groth INF5890 IT governance
Complexity in the IT portfolio: DnB
DHL Blip BBS FD HP
Lax.
NT DNT
MIC PAX Class IMS/DC FD CROP FD SML Frans LOKE
Web og wap NT
FD
Base cam
p
XML gw
NT
Nips
Henrik IIX
Jane Seym
our
766 Marie
Xxl Antoinette
Olav V
Oscar II
Louis XVI
Le Dauphin.
Louis XIV
Elisabeth I.
Bredbånd
RPC Nips o APPC
Tost) APPC
Kontoer
Produkter
Kundert
Tjenester
Osv
Lån.
RPC PM / AML 123
Mye ovid
DN
Aftenposten
Client M
Q
566Tull
Investr
Fillete
788 Tøys
PD
P LIS
425 PO
RT
1478
NAV
DBS PD
Highw
ay MQ
Bil&fly
MQ
STG
SP
R
Reskontro
Forf.reg.
KGS
RTS
M
ottak
CTlib/ ADO
Harald V
II
MQ
Law
RPC Båt og motor
211 Og
322 Abra
702 Dans
003 Ka
511 Tull
922 Ren
Haakon V
Lusete
517 Pen
xls PPT
MQ
NL (SMD)
APPC
Fleipe W
eboffice
VTRAN
Hele rekka
MQ
MQ
RPC MQ
DocsO
pen
Finansavisen
Docum
ents
ADO
811 Hokus
FCP
El.skr.
DIB
FF
Onlipaper
SOAP
BBS WS
Potetskr
OnD
emand(014)
Oppvask
Mac
Magnus
Bøker
7/23
722 Pokus
Sikkerhet
655 Sang
Beat fat
MQ
780 Pokem
on
ata o/l
Anne B
oleyn
FD M
erva
671 West w
ing
US
B B
lueray
APPC
BaltAX
899 Ede
Lappete
Delter
Klump
Voltram
XML
Sang
XML/MQ
MQ
Motorveien
Nyttnytt
GUL
Alt annet
Blip
10 Lars Groth INF5890 IT governance
11 Lars Groth INF5890 IT governance
12 Lars Groth INF5890 IT governance
Organizations are woven together by system interconnections
13 Lars Groth INF5890 IT governance
Partial or incidental ITIL Six Sigma CMM/CMMI IT Due Diligence IT Service CMM SOX SAS70 SysTrust IT Audit ISO / IEC 27002 (tidl. ISO 17799) PRINCE 2
Comprehensive COBIT ASL/BiSL IT Governance Review IT Governance Assessment IT Governance Checklist ITGAP (IT Governance Assessment Process) Model ISO 38500 IT Governance Standard
Frameworks for governance
14 Lars Groth INF5890 IT governance
Relevant Norwegian laws - there are many!
Generally, they fall into three classes: – Laws that apply to all enterprises, public and
private – Laws applying to public enterprises and public
administration only – Laws applying to specific sectors or industries
The relevant provisions in these laws mainly regulate matters such as:
– Information storage – Information safeguarding – Information access – Information use, incl. universal design – Public access to information – Copyright, intellectual property
15 Lars Groth INF5890 IT governance
Some examples: Laws applying to all enterprises
– Act relating to the processing of personal data (Personopplysningsloven) – Act relating to copyright in literary, scientific and artistic works, etc. (Åndsverksloven) – Act relating to a prohibition against discrimination on the basis of disability (Diskriminerings-
og tilgjengelighetsloven)
Laws applying to public enterprises and public administration – Act relating to procedure in cases concerning the public administration (Forvaltningsloven),
(especially §15) – Act relating to public access to documents in the public administration (Offentlighetsloven)(a
new EU-directive is underway) – Act relating to Protective Security Services (Sikkerhetsloven) – Act relating to archives (Arkivloven) and Act relating to the legal deposit of generally
available documents with regulations (Pliktavleveringsloven) – Act relating to public procurement (Lov om offentlige anskaffelser) – Regulations relating to ICT standards (Forskrift om IKT-standarder) – Local government act (Kommuneloven)
Sector laws – Act relating to health personnel etc. (Helsepersonelloven) – Act relating to municipal health and care services etc. (Helse- og omsorgstjenesteloven) – Act on personal health data filing systems and the processing of personal health data
(Helseregisterloven)
16 Lars Groth INF5890 IT governance
Michael Holm Larsen, Mogens Kühn Pedersen og Kim Viborg Andersen: IT Governance: Reviewing 17 IT Governance Tools and Analysing the Case of Novozymes A/S Proceedings of the 39th Hawaii International Conference on System Sciences - 2006
17 Lars Groth INF5890 IT governance
18 Lars Groth INF5890 IT governance
COBIT Control Objectives for Information and Related Technology
A framework developed by ISACA (Information Systems Audit and Control Association), which was founded in 1967
First version launched in 1996, present version (5.0) published 2012
In 1998, ISACA established IT Governance Institute to start research on governance
ISACA offers certification in four areas, including governance: – Certified Information Systems Auditor (CISA) – Certified Information Security Manager (CISM) – Certified in the Governance of Enterprise IT (CGEIT) – Certified in Risk and Information Systems Control (CRISC)
19 Lars Groth INF5890 IT governance
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
An business framework from ISACA, at www.isaca.org/cobit
Audit
COBIT1
COBIT 5: Now One Complete Business Framework for
2005/7 2000 1998
Evo
lutio
n of
sco
pe
1996 2012
Val IT 2.0 (2008)
Risk IT (2009)
© 2012 ISACA® All rights reserved.
20 Lars Groth INF5890 IT governance
21 Lars Groth INF5890 IT governance
Main document Summer 2012
22 Lars Groth INF5890 IT governance
”Information is a key resource for all enterprises, and throughout the whole information life cycle there is a huge dependency on technology.”
Information and related technologies are pervasive in enterprises and they need to be governed and managed in a holistic manner, taking in the full end-to-end business and IT functional areas of responsibility.”
– CobiT5, Executive Summary
23 Lars Groth INF5890 IT governance
24 Lars Groth INF5890 IT governance
25 Lars Groth INF5890 IT governance
26 Lars Groth INF5890 IT governance
27 Lars Groth INF5890 IT governance
28 Lars Groth INF5890 IT governance
COBIT5: Enabling a Holistic Approach
Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
29 Lars Groth INF5890 IT governance
• Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM).
• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).
29
The difference between governance and management
30 Lars Groth INF5890 IT governance
COBIT 5 addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective.
This means that COBIT 5: – Integrates governance of
enterprise IT into enterprise governance.
– That is, the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system. COBIT 5 aligns with the latest views on governance.
2. Covering the Enterprise End-to-end
31 Lars Groth INF5890 IT governance
Comprehensive COBIT ASL/BiSL IT Governance Review IT Governance Assessment IT Governance Checklist ITGAP (IT Governance Assessment Process) Model ISO 38500 IT Governance Standard
32 Lars Groth INF5890 IT governance
This book draws on a considerable number of studies at CISR (Center for Information Systems Research ved MIT Sloan School of Management)
A study from 2001-2003 of 256 enterprises from North and South America, Asia and Europe
40 case studies from USA and Europe from 1999 to 2003
One study of 30 IT managers from 2001
An exploratory study of IT governance from 1998-99
An examination of IT governance arrangements in 24 Fortune 100 firms in 2000
33 Lars Groth INF5890 IT governance
Cost-effectiveness in use of IT
Effectiveness in use of IT for asset utilization
Effectiveness in use of IT for growth
Effectiveness in use of IT for business flexibility
How to assess IT governance? Calculating Governance Performance Score
Importance Not important Very importantGovernance outcome 1 2 3 4 5Cost-effective use of ITEffective use of IT for growthEffective use of IT for asset utilizationEffective use of IT for business flexibility
Achievements Not succesful Very successfulSuccess measure 1 2 3 4 5Cost-effective use of ITEffective use of IT for growthEffective use of IT for asset utilizationEffective use of IT for business flexibility
Governance Performance Score: Max score: 100 Min score: 20
34 Lars Groth INF5890 IT governance
35 Lars Groth INF5890 IT governance
Accumulated answers from ITLED-courses (69 answers)
%
36 Lars Groth INF5890 IT governance
”We conclude that effective IT governance ist the single most important predictor of the value an organization generates from IT.”
Weill and Ross 2004, p. 3-4
IT Governance – How Top Performers Manage IT Decision Rights for Superior Results Peter Weil and Jeanne W. Ross 2004, Boston, Harvard Business School Press.
”The best predictor of IT governance performance is the percentage of managers in leadership positions who can accurately describe IT governance.”
Weill and Ross 2004, p. 13
37 Lars Groth INF5890 IT governance
Governance of IT: ”Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT”
To govern is to determine who decides what. Three questions must be addressed:
1. What decisions must be made to ensure effective management and use of IT?
2. Who should make these decisions? 3. How will these decisions be made and monitored?
The authors assert that the research presented in the book shows that the enterprises with the best technology utilization achieves up to 40% better return on their IT investmenst than their competitors
38 Lars Groth INF5890 IT governance
IT: One of the six key assets
39 Lars Groth INF5890 IT governance
40 Lars Groth INF5890 IT governance
What decisions must be made? 1. IT principles
– What is the enterprise’s desired operating model? – How will IT support it? – How will IT be funded?
2. IT architecture – What are the needs for integration and standardization – and can they be fulfilled?
3. IT infrastructure – What is going to be included in the shared platforms and services?
• Hardware and system software • IT skills and knowledge • Shared services like network and shared databases • Shared applications
4. Business application needs – What is needed, what to buy and what to develop? Particularely important when:
• Application needs challenge the establishes architecture • Parallel projects with overlapping specifications results in solutions that do not work
together, or parallel storage of data
5. Investment and prioritization – How much to spend, what to spend it on, who pays, and how to reconcile the needs of
the different IT constituencies
41 Lars Groth INF5890 IT governance
What decisions must be made? 1. IT principles
– What is the enterprise’s desired operating model? – How will IT support it? – How will IT be funded?
2. IT architecture – What are the needs for integration and standardization – and can they be fulfilled?
3. IT infrastructure – What is going to be included in the shared platforms and services?
• Hardware and system software • IT skills and knowledge • Shared services like network and shared databases • Shared applications
4. Business application needs – What is needed, what to buy and what to develop? Particularely important when:
• Application needs challenge the establishes architecture • Parallel projects with overlapping specifications results in solutions that do not work
together, or parallel storage of data
5. Investment and prioritization – How much to spend, what to spend it on, who pays, and how to reconcile the needs of
the different IT constituencies
42 Lars Groth INF5890 IT governance
The governance matrix
IT Principles
IT Architecture
IT Infrastructure
Strategies
Business Application
Needs IT
Investments Business Monarchy
IT Monarchy
Feudal
Federal
Duopoly
Anarchy
Don’t Know
43 Lars Groth INF5890 IT governance
The governance matrix (Complete)
IT Principles
IT Architecture
IT Infrastructure Strategies
Business Application
Needs IT
Investments Input Decision Input Decision Input Decision Input Decision Input Decision
Business Monarchy
IT Monarchy
Feudal
Federal
Duopoly
Anarchy
44 Lars Groth INF5890 IT governance
Most common arrangements Percent per decision type for 256 enterprises from 23 countries
IT Principles
IT Architecture
IT Infrastructure Strategies
Business Application
Needs IT
Investments Input Decision Input Decision Input Decision Input Decision Input Decision
Business Monarchy 0 27 0 6 0 7 1 12 1 30
IT Monarchy 1 18 20 73 10 59 0 8 0 9
Feudal 0 3 0 0 1 2 1 18 0 3
Federal 83 14 46 4 59 6 81 30 93 27 Duopoly 15 36 34 15 30 23 17 27 6 30 Anarchy 0 0 0 1 0 1 0 3 0 1
100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
Fat red numbers: Most common arrangements for information input Fat black numbers: Most common arrangements for decisions
45 Lars Groth INF5890 IT governance
Reasons for differences between enterprises: Different goals, both strategic and regarding performance
– Growth, consolidation, innovation – Private/public/not-for-profit
Different organizational structures or inadequate organizational structure
Position on the learning curve for IT governance
Enterprise size and complexity
Regional and industrial differences
46 Lars Groth INF5890 IT governance
Public/private Where do public enterprises differ? – Public value, not profit – Great emphasis on efficiency (cost) – Budget-based expenditure control as prime governance tool – Higher degree of formalization – Longer chains of command – Often less focus on progress in projects
Differences in governance as seen in the research results: – More business monarchies in all decisions except architectures – Significantly fewer IT monarchies in all decisions – More federal arrangements in all decisions except investments – More federal arrangements for input to all decisions – More duopolies for architecture
47 Lars Groth INF5890 IT governance
Mechanisms for implementing IT governance
We need to put in place decision-making structures
We need formal alignment processes
We need to communicate about it
48 Lars Groth INF5890 IT governance
Common decision mechanisms under different governance arrangements
Business Monarchy – Senior managment committees – Federal beslutningsstrukturer
IT Monarchy – IT leadership committees – Architecture committees
Duopolies – IT council comprising business and IT executives – Process teams with IT members – Business/IT relationship managers
49 Lars Groth INF5890 IT governance
50 Lars Groth INF5890 IT governance
Alignment Process for approval of investments
Process for architectural exceptions
Service Level Agreements
Chargeback arrangements
Tracking of projects and resources consumed
Formally tracking business value of IT
51 Lars Groth INF5890 IT governance
52 Lars Groth INF5890 IT governance
Communication Senior management announcements
Formal committees
Office of CIO or office of IT governance
Portals
Work with nonconformists
53 Lars Groth INF5890 IT governance
54 Lars Groth INF5890 IT governance
Implementing IT governance You will need mechanisms for
– decision-making – alignment – communication
Limit decision-making structures
Provide for overlapping membership in decision-making structures
– It is exceedingly simpler to achieve alignment inside heads than between heads
Implement mechanisms at multiple levels in the enterprise – Local needs for standardization may vary
Clarify accountabililty
55 Lars Groth INF5890 IT governance
What will work best?
That which suites YOU! IT should contribute as much as possible to the realization of enterprise goals....
....in a cost effective way.
56 Lars Groth INF5890 IT governance
Seven characteristics of top governance performers
1. More managers in leadership positions could describe IT governance
2. Greater engagement and knowledge on the part of senior management
3. More direct involvement of the senior leaders in IT governance
4. Clearer business objectives for IT investment
5. More differentiated business strategies
6. Fever renegade and more formally approved exceptions
7. Fever changes in governance
57 Lars Groth INF5890 IT governance
58 Lars Groth INF5890 IT governance
IT Principles
IT Architecture
IT Infrastructure Strategies
Business Application
Needs IT
Investments
Input Decision Input Decision Input Decision Input Decision Input Decision
Business Monarchy 0 27 0 6 0 7 1 12 1 30
IT Monarchy 1 18 20 73 10 59 0 8 0 9
Feudal 0 3 0 0 1 2 1 18 0 3
Federal 83 14 46 4 59 6 81 30 93 27 Duopoly 15 36 34 15 30 23 17 27 6 30 Anarchy 0 0 0 1 0 1 0 3 0 1
100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
Governance arrangements: The best and worst performers Percent per decision type
59 Lars Groth INF5890 IT governance
60 Lars Groth INF5890 IT governance
Symptoms of ineffective governance
Senior management senses low value from IT investments
IT is often a barrier to implementing new strategies
The mechanisms to make IT decisions are slow or contradictory
Senior management cannot explain IT governance
Projects often run late and over budget
Senior management sees outsourcing as a quick fix to IT problems
Governance changes frequently
61 Lars Groth INF5890 IT governance
What can you do?
Map out the present governance onto both diagrams (framework and governance matrix) Compare the two and ask how well the objectives on the Design Framework are achieved by the governance arrangements matrix – how can governance be improved?
Audit the IT governance mechanisms: – How many are active? – Are they effective both independently and
jointly?
62 Lars Groth INF5890 IT governance
Discuss the framework in a senior management meeting – especially the top boxes left and right – then design the matrix that fits the conclusions
Lead the change by using the «to be» versions of the Design Framework and the matrix
What can you do?
63 Lars Groth INF5890 IT governance
Top ten leadership
principles of IT governance
1. Actively design governance
2. Know when to redesign
3. Involve senior managers
4. Make choices
5. Clarify the exception-handling process
6. Provide the right incentives
7. Assign ownership an accountability for IT governance
8. Design governance at multiple organization levels
9. Provide transparency and education
10. Implement common mechanisms across the six key assets