© 2009 IBM Corporation

Applying IT Governance to Enterprise Initiatives : ISACA Bangalore

Shrikant Patil – Senior Advisory Consultant, Strategy & Change

09 January 2009

© 2009 IBM Corporation2

Learning Objectives

Understand Basic IT Governance Concepts

Review Relevant Organizational Constructs and Best Practice Frameworks

Discuss Critical Role of IT Governance in Enterprise Initiatives

ISACA Bangalore : Applying IT Governance to Enterprise Initiatives

© 2009 IBM Corporation3

Agenda

IT Governance Concepts

IT Organization Design Principles

Applying IT Governance

Case Studies

Q&A

© 2009 IBM Corporation4

Governance Definition

“Governance is process of decision making in the exercise of authority for direction and control”

- G.E.P. Shailer

Implies that– Board knows the strategic direction of the company– Board is responsible for relevant actions and decisions– Board holds ultimate authority over the affairs of the organization– Board is should include oversight and control as part of governance

© 2009 IBM Corporation5

Components of Enterprise Governance

Doing the right things ?

Doing the right way ?

© 2009 IBM Corporation6

IT Governance Definitions

It is an integral part of enterprise governance and consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.

IT governance is the responsibility of the board of directors and executive management

Relationship Mechanisms (within business units) play catalytic role in implementation of Governance

Source : IT Governance Institute

The distribution of IT decision-making rights and responsibilities among enterprise stakeholders, and the procedures and mechanisms for making and monitoring strategic decisions regarding IT

— Source: Luftman and Brier, 1999; Sambamurthy and Zmud, 2000; Weill, 2004 CISR MIT Sloan

© 2009 IBM Corporation7

What needs to be addressed within IT Governance?

According to COBIT there are five IT governance focus areas that executive management needs to address to govern IT within their enterprises:

Strategic alignment

Value delivery

Risk management

Resource management

Performance measurementStr

ategic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent

IT IT GovernanceGovernance

DomainsDomains

Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

ent

IT IT GovernanceGovernance

DomainsDomains

Source : IT Governance Institute

© 2009 IBM Corporation8

IT Governance is embedded within Enterprise Governance

Internal Environment– Value Statements : Core beliefs and philosophies that shape the organization’s vision

and mission– Guiding Principles : Durable statements that encapsulates the role IT will play and how

decisions will be driven in both business and IT organizations

Entrustment Framework– Accountability / authority framework across the organisation– Designated decision authorities : individuals or bodies– Organization constructs & functional interrelationships

Decision Model & Framework– Clear (transparent) assignment of decisions rights – Sequence of actions and decision path in decision processes

Source: Many faces of IT Governance by Nick Robinson CISA, ISACA Journal Volume 1 2007

© 2009 IBM Corporation9

3 Key Questions for IT Governance

1. What decisions must be made ?

2. Who should take these decisions ?

3. How these decisions are made and monitored ?

© 2009 IBM Corporation10

MIT CISR Arrangement Matrix The Governance Arrangements Matrix is used to describe, analyze and communicate an organization’s

IT governance

The framework uses a set of political governance archetypes for five principle decision domains

The matrix also identifies the set of mechanisms used to implement the governance arrangements (eg. committees, approval processes, relationships and organizational structures)

Five Key IT Decisions

IT Principles High level statements about how IT is used in the business

IT Infrastructure Strategies

Strategies for the base foundation of budgeted-for-IT capability (both technical and human), shared throughout the firm as reliable services and centrally coordinated

IT Architecture An integrated set of technical choices to guide the organization in satisfying business needs

Business Application Needs

Business applications to be acquired or built.

IT Investment and Prioritization

Decisions about how much and where to invest to IT including project approvals and justification techniques

IT Governance Archetypes

Business Monarchy

“C” level executives as a group or individuals

IT Monarchy Individuals or groups of IT executives.

Feudal Business unit leaders, Key Process owners, or their delegates

IT Duopoly IT executives and one other group

Federal Shared by “C” level executives and one other business group

Anarchy Each individual user

Source: MIT CISR

© 2009 IBM Corporation11

Governance and Alignment…”Six IT Decisions Your IT People Shouldn’t Make,” HBR – Ross and Weill

1. How much should we spend on IT?

2. Which business processes should receive IT dollars?

3. Which IT capabilities need to be companywide?

4. How good do our IT services really need to be?

5. What security and privacy risks will we accept?

6. Whom do we blame if an IT initiative fails?

© 2009 IBM Corporation12

For each organization type there are different possible IT decision making mechanisms („archetypes“).

Local IT Federal IT Central IT

Management

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

Management

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT

...

Management

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Federal ITManagement

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Federal ITManagement

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Federal ITManagement

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Federal ITManagement

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Business Monarchy IT Monarchy Federal IT Duopoly

Different archetypes ofIT decision rights*

Source: IT Governance, P. Weill, Jeanne W. Ross, Harvard Business School Press, 2004

Coordinated decision makingincluding all business units. ITmay be involved.

Bilateral agreements between IT and business units.

IT makes IT decisions.Business executivesmake IT decisions.

© 2009 IBM Corporation13

Allocation of IT Decision Making Authority across Business & IT Functions

Source: Weill & Boradbent 1998

© 2009 IBM Corporation14

In most organizations the decision rights are implemented differently, depending on the different IT domains.

Local IT Federal IT Central IT

Management

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

Management

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT

...

Management

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Local IT Federal IT Central IT

Management

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

Management

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT

...

Management

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Federal ITManagement

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Federal ITManagement

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Federal ITManagement

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Federal ITManagement

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Federal ITManagement

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Federal ITManagement

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Federal ITManagement

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Federal ITManagement

Business Line A

Business Line B

Business Line C

Business Line D

... .. ... ...

IT IT IT IT

IT

...

Business Monarchy IT Monarchy Federal IT duopoly

Source: based on MIT Sloan, Center for Information Systems Research (CISR)

IT Domains Good Practice1

Federal

IT Monarchy

IT Monarchy

Federal

Federal

Business Monarchy

IT Strategy

Application architecture

System architecture

Specialized architecture

IT investments

IT risk management

Often, each IT domain has itsown mechanisms to makedecisions

© 2009 IBM Corporation15

IT Governance Models

Source: Peterson 2000

© 2009 IBM Corporation16

Summary : To set direction and make it stick across the organization

IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

— Source: The IT Governance Institute

Term used to describe how those persons entrusted with governance of an entity will consider IT in their supervision, monitoring, control and direction. How IT is applied within the entity will have an immense impact on whether the entity will attain its vision, mission or strategic goals

— Source: Prof. Robert S. Roussey, University of Southern California

A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.

— Source: Cobit Executive Summary

© 2009 IBM Corporation17

IT Governance Drivers

IT Principles & Policies

Performance Management

Value Management

Accountability Framework

Processes & Decision Models

Strategic Alignment, Risk and Resource Management

• Guiding Principles• Standards and procedures

• Organizational structures & functional interrelationships• Individuals or bodies .e.g. committees, boards, empowered to make IT

decisions

• Sequence of activities and decision paths• In line with the number and type of decision

• Demand mgmt : ensure alignment / manage portfolio and investments• Supply management : provisioning and supply of products and

services

• Outcome focused – Is IT Function meeting the objectives?• Process focused – Are the IT processes operating effectively

• Delivery of business value from IT investments

© 2009 IBM Corporation18

Program Management Office (PMO) types

Temporary PMO

– For achieving specific business benefits

– Decision of formation of PMO is taken based on size of the program (most economical for min 30 associates)

– Largely Administrative– PMO disbanded post program

retirement– E.g. ERP Rollout Program Office

Permanent PMO

– For continuous organizational improvement

– Decision is based on the criticality of the objectives

– Establishes the best practice framework and rolls out across the organization

– E.g. Corporate Program Office, Chairman’s Program Office, Office of the CIO (OCIO)

© 2009 IBM Corporation19

The Office of the CIO (OCIO)

OCIO is Permanent type of PMO

5 % of 2000 CIOs participating in Gartner’s Executive Program (EXP) have OCIO

OCIO acts as the mouth piece of centralized IT

Provides transparency of IT to business

Extremely important step towards Business – IT Alignment

Mostly popular in Governments & large distributed organizations

The US Departments of Commerce and Agricultural leverage the OCIO– Standardization of IT roles and responsibility execution– Processes application development to help desk support are developed and standardized – This consistency supports stronger and more accurate reporting

Strategy planning, lessons learned and financial IT performance are formally reviewed quarterly which is facilitated by the office of the CIO

— Zack Hicks, corporate manager at Toyota's office of the CIO Torrance, California

© 2009 IBM Corporation20

PMO Within OCIO

© 2009 IBM Corporation21

COBIT Framework - Activities and Responsibilities

CEO

CFO BusinessExecutive

CIO

BusinessSr Management

Head ofOperations

ChiefArchitect or CTO

Head ofDevelopment

Head ofIT Admin

HR, Fin, etc

CARS

PMO

CEO

CFO BusinessExecutive

CIO

BusinessSr Management

Head ofOperations

ChiefArchitect or CTO

Head ofDevelopment

Head ofIT Admin

HR, Fin, etc

CARS

PMO

Key Activities

RACI Chart

1 Link business goals to IT goals2 Identify critical dependencies and current performance3 Build IT strategic plan4 Build IT tactical plans5 Analyze and manage project and service portfolios

C I A/R R CC C R A/R C C C C C CA C C R I C C C C I CC I A C C C C C R IC I I A R R C R C C I

1 Link business goals to IT goals2 Identify critical dependencies and current performance3 Build IT strategic plan4 Build IT tactical plans5 Analyze and manage project and service portfolios

PO1PO1

CARS: Compliance, audit, risk and security (groups with control responsibilities who do not have operational IT responsibilities)

Source : ISACA, COBIT

© 2009 IBM Corporation22

VAL IT Recommended Organization Chart

Source : ISACA, Val IT Framework

© 2009 IBM Corporation23

Role Definitions for VAL IT

Source : ISACA, Val IT Framework

© 2009 IBM Corporation24

VAL IT Framework RACI

Source : ISACA, Val IT Framework

© 2009 IBM Corporation25

Ref : Capgemini Outsourcing Report

Governance of Outsourcing

© 2009 IBM Corporation26

Client-Vendor Engagement : Governance of Outsourcing

Ref : Gartner

© 2009 IBM Corporation27

“Top performing enterprises generate returns on their IT investments up to 40 percent greater than their competitors.”

they clarify business strategies and the role of IT in achieving them

they measure and manage the amount spent and value received

they assign accountability for changes and decisions required to benefit from IT capabilities

they become adept at sharing and reusing IT assets

- IT Governance, Peter Weill & Jeanne W. Ross, HBS Press

“Firms with above average IT governance combined with a specific business strategy (eg. customer intimacy) had >20% higher profits than firms pursuing the same strategy”

Why focus on IT Governance?

Source: 2005 MIT SeeIT/CISR survey (625 firms); Peter Weill & Stephanie Woerner

Investors have acknowledged their awareness of importance of governance, demonstrating a willingness to pay premium of up to 20 percent on shares of enterprises known to have a governance framework in place

- McKinsey Report 2000

© 2009 IBM Corporation28

Applying IT Governance to Enterprise Initiatives

Strategy Operationalization

IT Enabled Enterprise Transformation Program

Underlying Organizational Change Management

Portfolio / Investment Management

Framework Implementations e.g. COBIT, ITIL (IT Control Establishments)

Collaborative Innovation

© 2009 IBM Corporation29

Enterprise Initiatives Classification

Source : W. “RP” Raghupathi August 2007/Vol. 50, No. 8 COMMUNICATIONS OF THE ACM

© 2009 IBM Corporation30

Enterprise Initiatives Landscape

Source : W. “RP” Raghupathi August 2007/Vol. 50, No. 8 COMMUNICATIONS OF THE ACM

• Portfolio / Investment Management : Stage 1• Framework Implementations e.g. COBIT, ITIL (IT Control Establishments) : Stage 1 & 2• Collaborative Innovation : All Stages• Audits & Assessments : All Stages

• Strategy Operationalization : Stage 1 & 2 • IT Enabled Enterprise Transformation Program : All Stages• Underlying Organizational Change Management : All Stages

© 2009 IBM Corporation31

IT Governance for Enterprise Transformation Programs

© 2009 IBM Corporation32

Case Study 1 : Manufacturing - Europe

Global organization with revenue of US$ 9 BN

First time in the life span started multi million dollar ERP program and did not succeed in 3 previous attempts

Integrations within applications growing out of hand

Program Office not established

Low awareness and practice of Project Management Methodology

Business frustrated due to consistent failures and not supportive of the initiative

Processes adequate for managing small project but not sustainable for large programs

a) Creation of program office b) Program Sponsor to undertake the OCM c) Revalidation of vendor commitment and customized framework for vendor and application evaluation

Operationalization plan of IT strategy objectives related to program

Mentoring the Program Manager

Creation / implementation of Business-IT alignment initiatives

Establishment of core processes such as risk and quality at the program level

Definition of process maturity framework

Problem Statement Solution Provided

© 2009 IBM Corporation33

Case Study 2 : How Org Context Affects the IT Governance

Source: Carol V Brown Graduate Business School Indiana University

© 2009 IBM Corporation34

How Leading firms behave differently

Greater top mgmt commitment to IT

More integrated business and IT planning

Less political turbulence

Higher user satisfaction with IT

More experience managing IT

© 2009 IBM Corporation35

Thank you

Contact

Shrikant Patil

Senior Advisory Consultant, IBM India

shrikpat@in.ibm.com

9620201083