- Introduction
- Corporate Governance: An Evolving Concept
- The CPR Framework for Corporate Governance
- Applying the CPR Framework to IT Governance
- Call to Action
- IT Governance Checklist
- References
This chapter is from the book
This chapter is from the book
This chapter is from the book
Applying the CPR Framework to IT Governance
As stated in the introduction to the chapter, IT governance, properly construed, is a discipline within corporate governance; as such, the board’s perspective should be primary, and the board should be the ultimate driver of IT governance. As a discipline within corporate governance, IT governance activity should be directed in the dimensions important to corporate governance: CPR. This section provides guidance on how to implement the CPR framework for IT governance.
Applying the CPR framework to IT governance has a number of important implications, many of which flow down from the overarching discipline of corporate governance:
The board, not the IT function, must be the prime driver for IT governance and must provide a framework for governance to provide a standardized communication interface and channel for governance along with simple rules to align and inform everyday decisions and actions toward sustainable financial results.
As with the corporation as a whole, sustained financial results must be the objective and prime driver for IT decisions and actions.
Govern four assets with the purview of IT governance (infrastructure, clients and external stakeholders, internal people and process (including suppliers and partners), and value creation) in the three dimensions of CPR, and governance must include managing the current and propelling toward the future state of the enterprise.
Since governance is behavior, emphasis in implementing this framework must be on changing behavior rather than introducing or changing work artifacts; roles must be set out, including expected behavior changes, not just for the board and top management, but for auditors (IT, security, financial), internal staff, and external entities (such as suppliers).
Other IT governance activities (such as IT service continuity management) and frameworks (such as the IT Infrastructure Library) must be aligned within the CPR framework, including program office, project, financial/investment processes, service-level management, business/IT alignment, security and IT audit/conformance, and IT service management processes.
These implications lead to a set of five imperatives for governance, shown in Table 19.3.
Table 19.3 Five Imperatives for Implementing IT Governance
|
Ensure the board drives governance and provides the governance framework. |
|
Focus on sustained financial results. |
|
Govern four assets—infrastructure, clients and external stakeholders, internal people and process, value creation—in three dimensions—conformance, performance, and relating responsibly—and include within governance managing the current and directing toward the future state of the firm. |
|
Organize around governance as behavior involving key stakeholders. |
|
Align sources of guidance for all IT governance within the CPR framework. |
The sections that follow highlight how to go about applying the CPR framework to the IT function by suggesting how to implement governance measures to meet each of the five imperatives. The five imperatives are addressed in turn.
Ensure the Board Drives Governance and Provides the Governance Framework
Governance is an activity performed jointly by the board and corporate departments. The board sets direction and policy, and departments execute and contribute their best advice and judgment. The IT function cannot be an exception. Where IT really matters to the corporation’s future, it makes sense to involve corporate directors in infrastructure concerns. The following statements, from a recent article by Thomas Hoffman (2004) attest to this fact.
A small number of companies, including Novell, Inc., and FedEx Corp., have elevated responsibility for IT governance to their boards of directors in an attempt to ensure that they have high-level oversight of technology investments.
Novell’s oversight committee, which also includes four other directors from outside the company, monitors major projects and decisions about Novell’s technology architecture.
FedEx created an IT oversight committee four years ago that includes board members. Like Novell’s committee, the one at FedEx oversees major IT-related projects and architecture decisions and advises both the senior IT management team and other board members on technology issues, according to a spokeswoman for the Memphis-based company.
While the board should rightly drive IT governance, this does not mean that you, the CIO, cannot or should not work to influence how they go about it. In fact, you must ensure that you have what you need to be successful in your role. This starts with understanding your board’s current posture, that is, the role they play in the corporation. Typical board postures include
Window dressing (provide image enhancement)
Strategic (address long-term and policy issues)
Operational (direct day-to-day activities)
Networking (create and enhance relationships)
All-purpose (work at all levels to some extent)
Understanding your board’s current posture is essential because you may need to take steps to make the integration of corporate and IT governance a "real and present" concern for your board.
Reckoning your board’s current posture or raison d’ être is a vital first step to understanding what you can do to influence their perception. This is essential to getting the m to drive IT governance, as they must see it as a real and present concern in order to do so.
Once you have taken into account the current posture of the board, you must decide where responsibility for IT governance should reside. You will need to define the roles and relationships relative to IT governance of key stakeholders, including owners/shareholders, the board, and top management. The following is intended as a helpful guideline for dividing these responsibilities in a large enterprise:
Performance aspect: the board
Conformance aspect: corporate governance committee, compliance committee, audit committee
Relate responsibly: the board and committees
It is important to map these roles specifically to the IT function to ensure clarity of purpose and completeness of coverage.
You may also have to adjust the board’s tasks, roles, and education to ensure that the integration of corporate and IT governance "takes." Ask, Do you have someone on board who has
primary responsibility for IT governance, including in their role and responsibilities?
the requisite specialized knowledge and expertise to do the job?
the interest to invest the appropriate time and energy required to make a difference?
If not, consider including an outside director for this role.
Also, ask yourself the following questions:
Do you have an independent audit, corporate governance, or compliance committee?
Are members clear on their role in crisis management for major IT incidents, including how they should liaison with operational IT crisis teams? Have they been trained to do so?
Is the intersection of IT and corporate governance part of your ongoing education program plan for your directors and part of your orientation program for new directors
Is IT governance information part of the package prepared for new board members?
So far, the tactics mentioned for getting the board to drive IT governance have been largely influence, education, and role specification. Another key tactic is to leverage Service Level Management as the "communications interface" between corporate and IT governance. This tactic is outlined in the paragraphs that follow.
Leverage Service-Level Management as Nexus between IT and Corporate Governance
Properly construed, IT organizations are service providers within the corporation. Ideally, they provide a defined set of IT-based services to business customers (those who shape and fund the services) and users (those who rely on the services to perform their work). The notion of IT as a service provider is the essence of the concept of IT service management (ITSM). ITSM is a model for managing IT as a business, where the quality of service, as perceived by the customer, is the number one driving and aligning force in the organization.
ITSM guidance includes the Service Level Management (SLM) process, which consists of the following activities:
Defining and agreeing to the services provided (quality, service levels, cost)
Aligning IT infrastructure provider activities to deliver on commitments
Managing the service experience
Managing customer–provider (and provider–provider) relationships
Improving service levels and value within cost constraints
Delivering as agreed, consistently maintaining commitments
The benefits of SLM include:
Enhanced understanding by the business and IT of each others’ requirements and constraints
Better information for IT and business decision making
Better alignment between the business and IT
More focused and accountable providers and suppliers
Clearly defined services, cost, and value
Continuous improvement of services and lower costs
Enhanced customer and provider satisfaction
More effective business use of IT
Service-level management is the primary mechanism for managing the IT function as a services business. As shown in Figure 19.4, a good deal of effort goes into ensuring that the services IT provides meet business needs, are delivered in a way that creates and maintains customers’ satisfaction, and ultimately help the corporation create value and drive profit.
)
Figure 19.4 The
service-level management pyramid.
Source: Pultorak, David. Exploring the Intersection of Service Level
Management and Corporate Governance. BetterManagement.com Web Seminar, Thursday,
December 4, 2003.
As you can see, in managing IT as a services business, services are at the center of all activity. To ensure services are delivered and supported according to commitments, the underlying technical infrastructure and systems must be up to the task. The boxes on the left-hand side of the diagram depict services as part of a larger catalog of services and may depend on other services as well as on service support and delivery processes for proper functioning. The boxes on the right-hand side illustrate that services need tending—a service manager of some sort—and rely on internal agreements between organizational units (operational level agreements) as well as contractual agreements with suppliers (underpinning contracts) to function properly. The relationship with providers needs tending, including both internal and external service providers.
The right-hand upper boxes show that a service-level management process—a process that ensures services are designed, developed, delivered, and supported as they should be through agreeing, measuring, monitoring, reviewing, auditing, reporting, managing, and improving—must be in place to ensure consistent results and value. Lastly, the boxes at the top of the diagram show that the service-level agreement (SLA) is the primary interface to the customer, existing only to meet business needs that drive value and financial results.
Service-level management provides an ideal basis for the interface between IT and corporate governance because it and corporate governance have much in common; both service-level management and corporate governance
Are governance mechanisms.
Have the aspect of agency/representation; that is, a small group of individuals represents the interests of a larger group.
Have a "down and in" management aspect and an "up and out" leadership aspect—in other words, both SLM and corporate governance require managing infrastructure and internal people and process as well as managing clients and external stakeholders.
Focus on performance, conformance, and relating responsibly to stakeholders.
Focus on maximizing value and minimizing risk.
Have stakeholders in common.
Are evolving areas after many years without change.
Feature widespread agreement on "why" and "what" and just as widespread lack of agreement on the "how" of implementation.
How to Integrate Service-Level Management and Corporate Governance
To leverage SLM as the nexus for IT and corporate governance, it helps to start by adopting and adapting internationally recognized standards that are understood by IT. The de facto international standard for IT service management is the IT Infrastructure Library (ITIL), an open standard developed by a consortium of industry experts. ITIL includes the service-level management process and is an excellent place to start. While ITIL guidance is strong in the areas of performance and relating responsibly, it is weak in conformance aspects. To cover these, one should look to the internationally recognized guidance contained in CobiT, which is also internationally recognized guidance, in this case focusing on control and compliance. A standards-based approach leveraging ITIL and CobiT helps ensure a defensible compliance position and accelerates compliance. A word of warning: while CobiT and ITIL can and should be used in conjunction, one should not expect them to fit together like so many jigsaw puzzle pieces; for example, a key difference is that CobiT tends to focus on describing where you should be, whereas ITIL has more coverage of how you might get there.
Focus on Sustained Financial Results
To drive governance down into the IT organization, all day-to-day decisions and actions must include a focus on and consideration of sustained financial results as a goal. For example, a "go/no-go" decision on an IT change should not be made just on technical merits; the business impact of the change must be considered as well.
Maintaining focus on financial results is another area where utilizing industry-standard ITIL guidance is extremely useful. ITIL includes process guidance for Service Level Management, as previously mentioned, which ensures a focus on the business value of services, as well as guidance for Financial Management for IT Services, which covers aspects of investment appraisal, budgeting and accounting, and charging.
Govern four assets—infrastructure, clients & external stakeholders, internal people & process, value creation—in three dimensions—conformance, performance, and relating responsibly, and include within governance managing the current and directing toward the future state of the firm
Table 19.4 outlines the dashboard of metrics required to manage the current state of the IT function and its future state along the dimensions of CPR and in the four key areas all businesses must pay attention to: infrastructure, clients and external stakeholders, internal people and process, and value creation. The idea is that a short list of the most relevant metrics for the organization be represented in each of the boxes and measured and managed to, ensuring that the IT function is driving toward sustainable financial results.
)
Table 19.4 CPR Key Performance Indicator Dashboard
Organize Around Governance as Behavior Involving Key Stakeholders
Each internal key stakeholder must have his or her activities relative to IT governance stated as a set of job parts and standards (completing the statement "performance is effective when..."). Figure 19.5 is adapted from the author’s chapters in IT People: Doing More with Less (2005), which you can refer to for a worksheet and more information about how to go about it.
)
Figure 19.5 4-S job
planning.
Source: Kern, Pultorak et al., IT People: Doing More with Less, 2005.
A similar exercise is recommended to describe the roles of clients and external stakeholders in order to capture their roles and responsibilities, although of course such documentation would not constitute job parts and standards.
Align Sources of Guidance for IT Governance with the CPR Framework
In this section, a number of common IT governance frameworks are mentioned in turn, with guidance on how each can be aligned within the CPR framework.
ISO/IEC 17799 and BS7799-2
ISO/IEC 17799 is an international standard code of practice that constitutes best practices in information security. Security guidelines are provided in the ten areas shown in Table 19.5.
Table 19.5 The Ten Guidelines Areas of ISO/IEC 17799
|
Business continuity planning |
Personnel security |
|
System access control |
Security organization |
|
System development and maintenance |
Computer and network management |
|
Physical and environmental security |
Asset classification and control |
|
Compliance |
Security policy |
BS7799-2 is a complementary standard to ISO/IEC 17799, providing a model for managing and improving compliance with BS7799-2 standards. BS7799-2 is the standard that one can be certified against, while ISO/IEC 17799 is a code of practice providing guidance on the identification and implementation of controls to meet the standard.
ISO/IEC 17799 and BS7799-2 can be integrated into the CPR governance framework primarily within the conformance dimension. Tracking of improvements falls under the performance dimension, and managing perceptions around security issues falls under the relating responsibly dimension. Infrastructure and internal people and process are the two primary asset areas within which ISO/IEC 17799 and BS7799-2 fit.
CMM/CMMI and ISO/IEC 15504 (SPICE)
The original Capability Maturity Model (CMM), and subsequent integrated versions (CMMI), were created by the Software Engineering Institute (SEI) to optimize software development through a framework of continuous process improvement. CMM defines five levels of maturity of software processes: initial, repeatable, defined, managed, and optimizing. ISO/IEC 15504 (also known as SPICE) is a framework for assessment methods compatible with CMMI, the first elements of which were published in 1995.
CMM/CMMI and ISO/IEC 15504 can be integrated into the CPR governance framework primarily within the Performance dimension. Tracking of compliance to specified policies and procedures falls under the Conformance dimension. Managing perceptions around capability achievement falls under the "Relating Responsibly" dimension. The primary asset area that these maturity models fall under is Internal People and Process.
Deming, EFQM, BNQP, ISO/IEC 9000, TQM, Six Sigma
Deming, EFQM, BNQP, ISO/IEC 9000, TQM, and Six Sigma are quality management systems and methods. The management aspects of these frameworks fall primarily under the Conformance dimension. The improvement aspects fall largely under the Performance dimension. The primary asset area governed by these frameworks is Internal People & Process, although Infrastructure is also important here.
IT Governance: Weill and Ross
Weill and Ross’s recent book (2004) is widely quoted as a reliable source of research on IT governance. It is research-based, describing how real practitioners view IT governance. In it, Weill and Ross conceptualize IT governance as decision making within a decision-making framework; their consequent focus is on decision rights and accountability. The book comes from an IT perspective: your perspective, that of CIO.
Weill and Ross’s work spans all asset areas to be governed, and the authors provide their own take on what those assets should be: human, financial, physical, IP, information and IT, and relationship. While the book spans all dimensions of governance as well, the focus is on a subset of governance behavior—decision making. Weill and Ross’s contribution is an excellent source of guidance for realizing many, but not all, aspects of the CPR framework.
CobiT
The Control Objectives for Information and Related Technology (CobiT) framework focuses on compliance and control. The guidance comes from an IT perspective, this time from the perspective of IT auditors. CobiT (ISACA 2000) substantially strengthens the EDP audit function. It is detailed, prescriptive, and complete, and provides a standardized approach to IT accountability.
As Table 19.6 shows, CobiT provides guidance in four key areas: Planning & Organization, Acquisition & Implementation, Delivery & Support, and Monitoring.
Table 19.6 CobiT Provides Guidance on 34 Processes in Four Key Groups
|
PLANNING & ORGANIZATION |
ACQUISITION & IMPLEMENTATION |
|
Define a strategic IT plan |
Identify automated solutions |
|
Define the information architecture |
Acquire and maintain application software |
|
Determine the technology direction |
Acquire and maintain technology infrastructure |
|
Define the IT organization and relationships |
Develop and maintain IT procedures |
|
Manage the investment in IT |
Install and accredit systems |
|
Communicate management aims and direction |
Managing changes |
|
Manage human resources |
|
|
Ensure compliance with external requirements |
|
|
Assess and manage risks |
|
|
Manage projects |
|
|
Manage quality |
|
|
DELIVERY & SUPPORT |
MONITORING |
|
Define and manage service levels |
Monitor the processes |
|
Manage third-party services |
Assess internal control adequacy |
|
Manage performance and capacity |
Obtain independent assurance |
|
Ensure continuous service |
Provide for independent audit |
|
Ensure systems security |
|
|
Identify and allocate costs |
|
|
Educate and train users |
|
|
Assist and advise IT customers |
|
|
Manage the configuration |
|
|
Manage problems and incidents |
|
|
Manage data |
|
|
Manage facilities |
|
|
Manage operations |
|
Because CobiT focuses on control and comes from the perspective of IT audit professionals, CobiT is ideal for approaching the Conformance dimension of IT governance. While the focus is on control, CobiT is applicable beyond the Conformance dimension, with guidance in seven criteria areas:
Effectiveness
Efficiency
Availability
Integrity
Confidentiality
Reliability
Compliance
The primary asset area aligning with CobiT is Internal People & Process, with emphasis also in the Infrastructure asset area.
ITIL
ITIL (the Information Technology Infrastructure Library) is a collection of best practices for IT service management. ITIL’s guidance is written from the perspective of the IT professional and is aimed at alignment with the business and focused on efficient and effective IT services. ITIL has been developed and widely implemented globally over the last 20 years. ITIL is appropriate for all corporations because it is vendor-neutral, nonpropriety, and scalable. That is, no matter how large or small your corporation, national or international in scope, ITIL "fits" with whatever technology you have put in place. Over 10,000 companies are using ITIL, and over 100,000 IT professionals worldwide are certified in ITIL practices.
The focus in ITIL is on effective and efficient IT processes (such as Change Management and Capacity Management) in support of the delivery of IT services. The objective is to position IT as a service provider, a partner with the business, and an enabler of business goals rather than as a mere operator of increasingly complex technology.
ITIL provides guidance and mechanisms that are ideal for realizing the performance and relating responsibly dimensions of IT governance. While the primary asset area that aligns with ITIL is internal people and process, ITIL guidance spans all four asset areas. In addition, while ITIL guidance is not focused on conformance, it enables conformance by specifying the process domains required to carry out the business of IT, which is a necessary basis for ensuring compliance with codes produced by relevant authorities (for example, a particular conformance area such as Sarbanes-Oxley compliance may require that change management processes be in place; ITIL provides the general outlines of such processes, into which controls can be inserted to ensure compliance). As such, it provides an ideal complement to CobiT as the basis for realizing full coverage in all three dimensions of governance: conformance, performance, and relating responsibly.
As such, IT must broadcast its contribution to the corporation in service terms. Who, what, where, why, and when has IT applied the resources at its command to support the business? Running an infrastructure, no matter how complex, does not add value to customers and profit to the corporation. Aligning that infrastructure engine so that it drives toward understandable business results is the goal, and this alignment can only come about through ongoing, specific dialogue between IT and the business on the subject of service.
The focus in ITIL is on effective and efficient IT processes (change management and capacity management, etc.) and tools (service-level agreements and configuration management databases) in support of the delivery of IT services.
ITIL is very clear on what needs to be done for IT to support a business service. In focusing on business and IT alignment, it drives home the performance and relating responsibly tenets of governance through close definition of a set of processes. These processes are directed at IT customers (i.e., corporate departments that define and commission IT services) as well as users (i.e., employees that use IT day-in and day-out). The ITIL service management processes and their aims are listed and described in Table 19.7.
)
Table 19.7 Information Technology Infrastructure Library
These ten disciplines work in concert to present the power of the underlying IT infrastructure in ways understandable to the business. Principal among its tools are the service catalog and corresponding service-level agreements (SLA) that document the mutual expectations of IT and the business. According to Weill and Ross (2004), the service catalog and SLAs...
list available services, alternative quality levels, and related costs. Through negotiations between the IT services unit and the business units, an SLA leads to articulation of the services IT offers and the costs of the services. These negotiations clarify the requirements of the business units, thereby informing governance decisions on infrastructure, architecture, and business application needs. (p. 101)
The service catalog and SLAs drive all of the other ITIL processes. The service catalog acts a menu, and the SLA as an agreed "order" from that menu, forming the basis for common ground between corporate departments and IT. It establishes the boundaries of conformance because it has the business and IT work together to plan what to do, to do it, and to accumulate evidence that it has been done. It records the mutual understanding of quality whose measurement brings performance characteristics to the fore. Lastly, it sets the cost parameters—what the business can afford and what IT can spend—reflecting the balance of supply and demand that underscores relating responsibly.
IT service management is not a one-step approach for infusing IT with the three-part framework of governance, but it takes the first step by elevating the dialogue where business goals and objectives are the nouns, service is the verb, and the innumerable details that constitute the technical infrastructure are secondary.
In short, the service focus proposed here allows the board to expect more, to demand more, and to require greater transparency in reporting on the business value of IT services. Microsoft adopted and adapted ITIL, transforming it into the Microsoft Operations Framework (MOF) to secure even stronger benefits for the corporation and its goals. As Ron Markezich, CIO for Microsoft Corporation says, "Our goal in IT at Microsoft is to use technology as a competitive advantage for Microsoft. Our focus on Microsoft Operations Framework and service management helps us ensure a foundation of reliable, effective and trustworthy IT services that are required for our users to get the most out of the services IT provides."
Other Mechanisms Associated with IT Governance
Some professionals equate IT governance in whole or in part with a variety of management mechanisms in use in organizations. Chief among them are program, project, and portfolio management, enterprise architecture, business and IT alignment, and the strategy, policysetting, and planning functions performed by the board, executive management, and specialized staff. A variety of guidance exists for these mechanisms, such as the PMBOK for project management. While it is beyond the scope of this chapter to review all such guidance, it is important to note that many consider such mechanisms an important part, and in some cases, the primary part of IT governance, sometimes going so far as equating these mechanisms with governance. While each has a role in governance, the general guidance given here is to apply such mechanisms within an overarching framework that aligns them.