Practical

Information
Technology
Governance

Creating an Environment for Business Driven

Effective IT Management, Decision Making
and Operations

Alan McSweeney
 Practical Information Technology Governance

Contents

IT Governance as a Means to an End ...............................................................3

Benefits of IT Governance................................................................................3
IT Governance Drivers and Principles ..............................................................5
IT Governance and Best Practice Standards.....................................................6
IT Governance Architecture Framework ..........................................................6
Implementing Effective IT Governance............................................................7
IT Governance with COBIT .............................................................................8
COBIT Domain and Process Structure .........................................................8
COBIT Information Measurement Criteria ...................................................9
COBIT Process Goals and Metrics.................................................................9
Implementing IT Governance ........................................................................ 11
Lessons Learned From Implementing IT Governance..................................... 11

63% of organisations feel that IT is very important to the delivery of the overall
organisation strategy. Yet only 33% of general management within organisations see the
alignment between business and IT as being very good. The need to bridge this
disconnect between business and IT is one of the fundamental reasons for IT Governance.

IT Governance creates a framework where IT management can be performed effectively

and IT-related decision making focuses on the effective and efficient running of IT
operations and services. Underlying the idea of IT Governance is the concept of IT and
business alignment.

Implementing IT Governance is good for both the organisation and for IT. It ensures
that IT delivers value and that the value of IT is understood. Appropriate IT Governance
can yield real business benefits. IT Governance imposes a standard that ensures IT is
aligned to business strategy and objectives.

COBIT provides a ready-made flexible IT Governance framework that can subsume

other more detailed and specific best-practice frameworks. Implementing IT Governance
is similar to any other IT or business project and should be approached and managed in
the same way.

Some “quick wins” from IT Governance can be achieved by implementing the following:

• Ensure that IT project priorities are based on business priorities

• Audit existing IT processes and modify to ensure they are effective
• Ensure that IT projects are lead by the business and strongly supported by IT
• Developing an IT scorecard designed for a business audience that includes details on
how IT creates and delivers business value
• Implementing a standard process for or determining the business value (both
financial and non-financial) and risk of IT-enabled business investments
• Create an IT Strategy Committee with business involvement

Page 2
 Practical Information Technology Governance

IT Governance as a Means to an End

IT Governance creates a framework where IT management can be performed

effectively and IT-related decision making focuses on the effective and efficient
running of IT operations and services.

IT Governance can be seen as one more non-value adding overhead that is part
How would you rate your
of the ever increasing compliance overhead imposed on organisations. There can
organisation’s maturity level on
be a real reluctance to considering IT Governance programmes because of
IT Governance?
“compliance fatigue” associated with the many compliance requirements that
have arisen in the past years. However the adoption of appropriate and relevant
IT Governance will yield real business benefits. Appropriate is the key word
here: there are no prizes for excessive controls.

Information Technology is investment-intensive. Change is both common and

frequent. The speed with which an organisation correctly adopts innovation
and deployment is critical in developing and maintaining competitive
advantage.

The core function of IT is to serve the business. Alignment of IT with

organisational goals and objectives and the management of IT to serve and
support the business in its pursuit of success all require clear governance.
Conversely, this also needs a business that is engaged with IT.
Source: IT Governance Global
Status Report—2008
In making a decision to implement an IT Governance framework, it is
important to be practical and realistic. Appropriate governance is what is
required and governance for a reason rather than for its own sake.

Benefits of IT Governance How would you describe the fit

or alignment between your
Underlying the idea of IT Governance is the concept of IT and business corporate governance practices
alignment. The linkage of IT with business objectives remains a key issue for and IT Governance practices?
IT management. The implementation of IT Governance is designed to deliver
real benefits:

• Better IT to business alignment built on a business focus

• Improved maintenance and operations planning
• Establishment of data and information standards
• Management view of what IT does and increased visibility of IT spending
• Clear ownership and responsibilities, based on process orientation
• General acceptability with third parties and regulators
• Shared understanding amongst all stakeholders based on a common Source: IT Governance Global
language Status Report—2008
• Fulfilment of the governance requirements for the IT control environment
• A comprehensive IT Governance model for managing all IT resources

IT Governance fits into an increasingly crowded landscape of corporate

governance, regulation and compliance rules and standards.

Page 3

How would you describe the fit
or alignment between your IT
strategy and your organisation’s
overall business strategy?
Source: IT Governance Global
Status Report—2008
How would you describe the level
of engagement by business
management in the governance
of IT-enabled business
initiatives?
Source: IT Governance Global
Status Report—2008
Practical Information Technology Governance
However there are tangible financial advantages to implementing IT
Governance. Analyses and comparisons demonstrate that companies with
effective IT Governance have profits that are 20% higher than similar
companies without an IT Governance framework.
IT Governance assists IT meet the expectations placed on it by business by:
• Delivering quality IT solutions on time and on budget
• Employing and exploiting IT to deliver business value
• Leveraging IT to increase efficiency and productivity while managing
IT risks
There are two aspects to IT controls:
1. IT must implement internal controls around how it operates
2. The systems IT provides to the business and the underlying business
processes these systems implement must be controlled – these are controls
external to IT
IT is impacted by business requirements as IT drives the business process and
manages the information that such governance seeks to control. IT is at the core
of most complex businesses. IT is required to manage itself more effectively and
reliably in order to respond to these requirements.
The twin drivers of increasing complexity and the need for greater cost controls
will exert continuous pressure on IT operations and make using best practice
frameworks to implementing governance solutions the only real answer
available.
Appropriate IT Governance can yield real business benefits. IT
Governance imposes a standard that ensures IT is aligned to business
strategy and objectives.
Page 4
 Practical Information Technology Governance

IT Governance Drivers and Principles

63% of organisations feel that IT is very important to the delivery of the overall
How would you describe the fit
organisation strategy. Yet only 33% of general management within
or alignment between your
organisations see the alignment between business and IT as being very good.
corporate governance practices
The need to bridge this disconnect between business and IT is one of the
and IT Governance practices?
fundamental reasons for IT Governance. The drivers of IT Governance include:

• The search for competitive advantage through more effective use of

information and IT
• The need to align technology projects with strategic organisational goals,
ensuring they deliver planned value through greater project governance
• Operational risk management and the proliferation of threats (internal
and external) to information and IT
• The governance requirements of various compliance obligations
• Increasing regulatory compliance and information and privacy
legislation

IT Governance is important for all organisations. Those without an IT Source: IT Governance Global
Governance strategy face risks; those with one perform better. Status Report—2008

In the current corporate governance environment, where the value and

importance of information assets are sizeable, core governance principles must
be extended to information and IT. These principles include establishing
strategic aims, providing strategic leadership, overseeing and monitoring the
performance of executive management and reporting to shareholders on their
stewardship of the organisation. The IT function must be aligned to the larger
organisation. A lack of openness within IT is simply not consistent with the
expectation of pro-activity and governance transparency. IT Governance
should be focussed on four key areas, divided into two groups:

Goals of IT Governance
1. IT Value Delivery: focus on optimising cost and the value of IT How important do you consider
2. Risk Management: focus on safeguarding IT assets, disaster IT to be to the successful
recovery and continuity of operations delivery of the business strategy
Means to Achieve IT Governance Goals or vision?
3. IT Strategic Alignment: focus on aligning IT with the business and
collaborative solutions
4. Performance Measurement: focus on tracking project delivery and
monitoring delivery of IT services.

Source: IT Governance Global

Status Report—2008

Page 5

How regularly does your IT
department inform the business
about potential business
opportunities enabled by new
technologies?
Source: IT Governance Global
Status Report—2008
To what extent does your IT
department understand and
support the business user needs?
Source: IT Governance Global
Status Report—2008
Practical Information Technology Governance
IT Governance and Best Practice Standards
In translating IT Governance from theory to practice, there are a number of IT
best practice frameworks and standards such as Control Objectives for
Information and related Technology (COBIT), ISO17799, IT Infrastructure
Library (ITIL), Capability Maturity Model (CMM) available to assist IT
functions to help them improve their accountability, governance and
management. COBIT is designed as a high-level umbrella framework and it
works very well with other lower-level frameworks like ITIL and ISO27002
which focus on specific aspects of IT Governance.
Clearly the structure of IT Governance depends on the IT structure and focus of
the organisation.
Business can obtain a value from the implementation of appropriate best
practice frameworks through the reduction of the number of ad-hoc
processes. This brings discipline to IT activities and improves
accountability.
IT Governance Architecture Framework
This framework depicts how strategy, governance structures and performance
goals are synchronised. The “Whats” link overall strategy, governance
structures and performance goals so they are aligned and drive an organisation
to achieve its vision or steer in the strategic direction in which they are trying to
move.
Page 6
 Practical Information Technology Governance

How would you describe the fit

or alignment between your IT
strategy and your organisation’s
overall business strategy?

Source: IT Governance Global

Status Report—2008

The “Hows” translate the theory into practice:

• The organisation’s strategy defines the behaviours required.

• The organisation’s governance arrangements are implemented through Rate the relative importance of
its governance processes. IT-related problems based on
• The organisation’s performance goals are measured through appropriate impact and severity, frequency
metrics. of occurrence, improvement or
disimprovement and priority for
Implementing Effective IT Governance resolution in the next 12
months.
Control Objectives for Information and related Technology (COBIT) has been
referred to earlier in this paper. COBIT has become the de facto framework for
the management of Information Technology standards and processes.

COBIT aims to be different from other quality and governance approaches in

two key ways:

1. It is an IT Governance framework and supporting set of tools that IT

can use to bridge the gap between control requirements, technical issues
and business risks
2. It provides a detailed implementation structure and toolset that
translates the framework theory into a practical and achievable
deliverables

Like all governance standards and methodologies, their implementation can be

long and painful. Implementation of and adherence to these compliance
standards can seem to represent wasted effort as it does not add value to the
business. COBIT removes at least some of the pain and reduces the execution
time by going some way towards translating general principles to realisable
specifics.

Because COBIT has a detailed implementation framework, the project to Source: IT Governance Global
implement it and the associated time and cost can be defined more exactly. Status Report—2008

Page 7
On a scale from 1, not at all
serious, to 3, very serious, rate
the severity of problems
experienced?
Source: IT Governance Global
Status Report—2008
Has the situation regarding
these problems deteriorated,
stayed the same or improved
during the past 12 months?
Source: IT Governance Global
Status Report—2008
Practical Information Technology Governance
The framework can be customised and simplified to suit the requirements of the
organisation. In order to deliver and be seen to deliver quick wins from IT
Governance, the following areas should be given attention:
• Ensure that IT project and service priorities are based on business priorities
• Audit existing IT processes and modify to ensure they are effective
• Ensure that IT projects are lead by the business and strongly supported by
IT
• Develop an IT scorecard designed for a business audience that includes
details on how IT creates and delivers business value
• Implement a standard process for determining the business value (both
financial and non-financial) and risk of IT-enabled business investments
• Create an IT Strategy Committee with business involvement
COBIT has a broad coverage and a business focus. It seeks to ensure that IT
delivers what the business needs. COBIT focuses on the “what” rather than on
the “how”. It is a control and management framework, linking IT practices to
business requirements. COBIT is based on the principle that to provide the
information that the enterprise requires to achieve its objectives, the enterprise
needs to manage and control IT resources using a structured set of processes to
deliver the required information services.
COBIT is integrated with other standards and thus can become an umbrella
framework for IT Governance:
• It assists in understanding and managing the risks and benefits
associated with IT
• The process structure of COBIT and its business-oriented approach
provides an end-to-end view of IT
COBIT provides a ready-made flexible IT Governance framework that
can subsume other more detailed and specific best-practice frameworks.
IT Governance with COBIT
COBIT Domain and Process Structure
The COBIT process model of four domains contains processes that manage the
IT resources to deliver information to the business according to business and
governance requirements. Each of the processes contains a set of objectives.
When implemented, the governance Processes within the Domains can be
regarded as an engine to deliver information and fulfil objectives.
Page 8
 Practical Information Technology Governance

Which of any of the following

practices does your
organisation’s current approach
to IT Governance include?

The implementation of these COBIT processes within the toolset is divided into
four parts:

1. High-level control objectives – this is a process summary identifying

business requirement being satisfied, focus, achievement and measurement Source: IT Governance Global
principles Status Report—2008
2. Detailed process-specific control objectives
3. Process inputs and outputs, responsibilities, goals and metrics.
4. Process maturity model

Each of these processes consists of a number of specific control objectives. It is

COBIT’s execution-oriented template approach and structure makes it useful
and implementable.

COBIT Information Measurement Criteria

COBIT defines criteria to measure how the information delivered by the

processes meets business objectives. Have you implemented, are you
in the process of implementing
Deals with information being relevant and pertinent to the or are you considering
Effectiveness business process as well as being delivered in a timely, correct, implementing improved IT
consistent and usable manner Governance practices?
Concerned with the provision of the information through the
Efficiency
optimal use of resources
Concerned with the protection of sensitive information from
Confidentiality
unauthorised disclosure
Relates to the accuracy and completeness of information as
Integrity well as to its validity in accordance with business values and
expectations
Relates to the information being available when required by
Availability
the business process now and in the future
Deals with complying with laws, regulations and contractual
Compliance
arrangements Source: IT Governance Global
Relates to the provision of appropriate information for the Status Report—2008
Reliability
workforce of the organisation

COBIT Process Goals and Metrics

Page 9

How valuable do you think
COBIT is in your IT
Governance efforts/initiatives?
Source: IT Governance Global
Status Report—2008
Which IT-related investment
principles deliver the greatest
value to the organisation?
Source: IT Governance Global
Status Report—2008
Practical Information Technology Governance
Each process has three sets of goals measured by corresponding sets of metrics:
Goals Metrics
Delivery
Activity Goals Key Performance Indicators
Measured
Process Goals Process Key Goal Indicators
By
IT Goals IT Key Goal Indicators
In addition to the process-specific control objectives, COBIT includes a set of
generic process controls that are applied to all processes.
Control Description
PC1 Process Assign an owner for each COBIT process such that
Owner responsibility is clear.
PC2 Define each COBIT process such that it is repeatable.
Repeatability
PC3 Goals and Establish clear goals and objectives for each COBIT process
Objectives for effective execution.
PC4 Roles and Define unambiguous roles, activities and responsibilities for
Responsibilities each COBIT process for efficient execution.
PC5 Process Measure the performance of each COBIT process against its
Performance goals.
PC6 Policy, Plans Document, review, keep up to date, sign off on and
and Procedures communicate to all involved parties any policy, plan or
procedure that drives a COBIT process.
COBIT includes a set of generic application control groups and detailed controls
that are applied to all processes:
• Data Origination/Authorisation Controls
• Data Input Controls
• Data Processing Controls
• Data Output Controls
• Boundary Controls
Because COBIT has a detailed implementation framework, the project to
implement it and the associated time and cost can be defined more
exactly.
Page 10
 Practical Information Technology Governance

Which of the following IT-

Implementing IT Governance related investment principles
applies or is planned to be
Implementing IT Governance is similar to any other IT or business project and applied in your organisation?
should be approached and managed in the same way. The roadmap to
implementing IT Governance consists of the following general phases and
activities:

Source: IT Governance Global

Status Report—2008

What do you see as the greatest

obstacles/constraints to
organisations adopting the IT-
related investment?

Implementing IT Governance should be treated like any other project.

Lessons Learned From Implementing IT Governance

The lessons learned from implementing IT Governance relate to avoiding the all
too common problems associated with business and IT being disconnected: Source: IT Governance Global
Status Report—2008
• Management see a value from investments made in IT and see that IT is
an investment rather than a cost.
Which of the following measures
• IT is no longer seen as a barrier to implementing new strategies. IT
have you implemented, or are
becomes a strategic enabler rather than being seen as restricting the
you in the process of
ability of the business to respond to new opportunities.
implementing, to improve IT
• IT decision-making mechanism is open and transparent rather than management and governance?
slow, cumbersome and not apparent.
• Management understand and appreciate how IT is governed within the
organisation.
• IT projects are completed on time and on budget and deliver on the
committed benefits. Good project management is part of good IT
Governance.

Implementing IT Governance is good for both the organisation and for

IT. Governance ensures that IT delivers value and that the value of IT is
understood.
Source: IT Governance Global
Status Report—2008
Page 11
Practical Information Technology Governance

For more information, please contact:

alan@alanmcsweeney.com

Page 12