“IT Governance”OC CIO Council

5/13/2010

Presented by: Carmella Cassetta

What is IT Governance?

“IT governance and associated issues have been reported as a top 10 CIO management problem area in the Gartner EXP annual CIO survey for at least the past five years”

• Gartner 29 March 2010 ID:G00175053

What is IT Governance?• There are narrower and broader definitions of IT

governance.

• Weill and Ross focus on "Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT.▫ IT Governance, P. Weill & J. Ross, Harvard Press

• The IT Governance Institute expands the definition to include foundational mechanisms: "… the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives." ▫ Wikipedia

What is IT Governance?• Gartner defines "IT governance" as the processes that

ensure the effective and efficient use of IT in enabling an organization to achieve its goals.

• In one Gartner model, ITG addresses two main sets of issues:▫ Demand governance is primarily a business management

responsibility but one in which the CIO plays a major role as a business executive. What should IT work on? Where should the organization's IT resources be invested to produce

the greatest return? How do we ensure that these returns are actually achieved?

▫ Supply governance is primarily a CIO responsibility. How should IT do what it does? What are the constraints, policies, rules and standards that IT

must comply with in delivering what the business needs?

• Gartner 29 March 2010 ID:G00175053

What is IT Governance?

Weill and Ross further elaborate that an effective IT Governance model must address three basic questions:

1.What decisions must be made to ensure effective management and use of IT?2.Who should make those decisions?3.How will those decisions be made and monitored?

IT Governance, P. Weill & J. Ross, Harvard Press

Typically, includes:

• IT Investment strategy▫ Capability matrix▫ Investment targets

• Processes to foster business & IT alignment and ensure allocation of resources to priorities

Project intake and approval process Priority management (Steering Committees) Enterprise portfolio management Engagement model Application Portfolio Management (What do we own? What do we use? )

• Architectural principals & Technology Roadmap▫ Business Application needs

• Processes and Controls▫ Change Management, Project Management, SDLC, Resource management

• Oversight▫ Benchmarks and Metrics/KPI’s & Reporting▫ Steering Committees

Key IT Governance Decisions

7

IT Principles DecisionsHigh-level statements about how IT is used in the business

IT architecture decisions IT infrastructure decisionsIT investment and

prioritizationOrganizing logic for data, applications, and infrastructure captured in a set of policies, relationships, and technical choices to achieve desired business and technical standardization and integration

Centrally coordinated, shared IT services that provide the foundation for the enterprise's IT capability

Decisions about how much and where to invest in IT, including project approvals and justification techniques

Business applications needsSpecifying the business need for purchased or internally developed IT applications

M.I.T. SLOAN CENTER FOR INFORMATION SYSTEMS RESEARCH

Theoretical Process Framework for Building Strategic Business Alignment

Vision

StrategicElements

Business ProcessArchitecture

Application & Information Architecture

Technology, Infrastructure& Organization Architecture

KeyCapabilities

Operationalizing the Business Strategy

IT StrategyIncluding MissionAnd Vision

What we aspire to

What will enable us to achieve the vision

What is required to achieve strategies

How work gets done

What IT must provide

How IT delivers

Business Strategy

Governance – Iterative Process

IT InitiativeIT Initiative RequestRequest

ApprovedApprovedPrioritized Prioritized InitiativeInitiative

Initiative PortfolioInitiative Portfolio

Strategic Business Strategic Business ObjectivesObjectives

GovernanceGovernance

Application PortfolioApplication Portfolio

IT InitiativeIT Initiative

ResourceResource ScheduleSchedule

ScopeScopeRiskRisk

Key Business Capability ModelKey Business Capability Model

Source: Gartner 29 March 2010 ID:G00175053

Governance Arrangements Matrix

IT Principles IT ArchitectureIT Infrastructure

Strategies

Business Application

Needs IT Investment

Business Monarchy

IT Monarchy

Feudal

Federal

Duopoly

Anarchy

Don't Know

Which Governance Archetypes Are Used for Different Types of Decisions?

Decision

Arche-Type

M.I.T. SLOAN CENTER FOR INFORMATION SYSTEMS RESEARCH

Often starts with investment guidelines and capability assessment…

•Enterprise Portfolio Management goes beyond cataloging and prioritizing projects with alignment to strategic business goals.

•Successful EPM includes the integration of enterprise architecture (assumes multi-layer views of business/process, applications, technology, data), resource planning, investment decisions, performance and execution management across the enterprise.

Key Capability RequirementsDetermine Our Business Capability Requirements to

Achieve Our Corporate Strategy. We can’t optimize every function. This helps define our investment strategy.

EXAMPLE

EPM FRAMEWORKS• Asset Class Portfolio (MIT or Weill Model) . Under Peter Weill’s portfolio model,

investments are placed in four categories with the percent of IT expenditures distributed across each class. ▫ Infrastructure. Investments that provide a shared and standardized base of capability

for the enterprise and lead to greater business flexibility and integration. Infrastructure investments are moderately risky because of their technologies' long life-spans and technical uncertainty.

▫ Transactional. IT initiatives that process and automate the basic transactions of a company. They are intended to reduce costs and boost productivity and boast an average internal rate of return of 25 percent to 40 percent. These investments have the least risk of the four classes.

▫ Informational. Systems that provide information for managing a company. Payoff comes from shorter time-to-market, superior quality and the ability to set premium prices. They are moderately risky because companies often have difficulty acting on information to generate business value.

▫ Strategic. These investments, almost always external-facing systems pay off in sales growth, competitive advantage and stronger market positioning. But they are the riskiest of the classes: 10 percent will produce spectacular results, but 50 percent will fail to break even.

• Investment proportions may differ based on cost-control, agility, or balanced.

• M.I.T. SLOAN CENTER FOR INFORMATION SYSTEMS RESEARCH

15

… And expands to include engagement & supporting processes

Technology Investment Governance Model

• All IT investments will be managed by the IT organization• Projects are defined as >160 resource hours or >$10,000 capital• Small Enhancements are defined as <160 resource hours or <$10,000

capital• IT investment is defined as procurement of any IT hardware, software,

consulting or service excluding standard, budgeted pc or server purchases completed by the Purchasing Dept.

• IT Steering Committee (ITSC) will govern the approval of IT investments & projects >$75,000.▫ The committee consists of CEO, CFO, COO, CIO & EVP Ops▫ The IT Steering Committee will evaluate for:

Applicability across divisions, consistency with strategic initiatives, ROI, projects value, timing and cost

• Projects $10,001-75,000 can be approved by the CFO, CIO and department head.

• Small enhancements (SE’s)▫ Business SE’s are approved by business steering committees▫ IT SE’s are approved by the CIO

• Scoping: Projects can be scopes (estimated) without prior approval from the ITSC but must be approved by the local steering committees

• The preferred solution options will be off the shelf, vendor supported packages with minimal customization

1

2

3

5

6

4

7

The Business submits an ITER to IT with VPapproval

IT Project Lead accesses ITER as Project or Small Enhancement

Steering Committee reviews, approves, prioritizes ITER ITER is approved as a Small

Enhancement (SE)

SE is prioritized and moved In Stream

ITER is approved as a Project for Scoping

Project is scoped and a *ROM is created

Project is re-scoped as a Small Enhancement (SE) and 2nd page of ITER is completed

EXAMPLE: IT Project Intake and Approval Flow “Phase 0”

See p. 4

ITER is put into the Pipeline

>160 hrs

<160 hrs

<160 hrs

19

8

9

10

11a

12

11b

14

13

ROM is approved by

CIO and Business VP

A *CER is created If project is capitalizable or requires external consulting, new hardware, and/or new software

> $50K < $50K

Business Steering Committee

ITSC

Approved projects are prioritized and moved In Stream

Project is Active

From p. 3

IT Project Intake and Approval Flow “Phase 0”

20

SRVP

IT Collaboration

High levelevaluation

Approval tomove forward

AFCECapital

Committee

IT CollaborationRequirements

AnalysisDesign

EXAMPLE: IT Project Process Flow

| 5 working days |

| 5 working days

| project plan| 5 working days | 5 working days

The determination is made whether or not North America wants to a) engage IT and b) invest its limited capital on this proposed project

The business secures conditional approval to move forward

The project receives final approval or is re-evaluated

0. Scoping 1. Elaboration 2. Architect & Design

3. Construct 4. Test 5. Deploy 6. Verify

Align project request with CCi Strategic Objectives

Provide clear vision for project goals & objectives

Obtains VP or above approval on ITER

Submit ITER to appropriate IT staff

Attend Steering Committee to represent project, as required

Open Work Order in Altiris with ITER attached

Add project to Leader Board with a Requested status

Complete high level estimate

Present ITER at Steering Committee for prioritization (present to ITSC if > $25K)

Update Leader Board status to Approved, Pending Recourses, or Scoping based on Steering Committee

Generate a ROM & CER (if required) for all approved projects

Develop initial RAID

Develop Project Charter with Business Owner

Phase Gate Approval

Publish artifacts to the project folder on SharePoint

Verify appropriate levels of planning & controls are applied

Participate in Project Kickoff

Ensure project resources are allocated & engaged

Facilitate approval of Project Charter

Develop Resource Plan

Present project at the next IT Resource Planning Meeting

Plan & facilitate Project Kickoff

Facilitate approval of Project Charter

Conduct Project Kickoff

Generate Business Requirements Document

Generate Project Schedule

Establish budget

Develop Risk Management Plan

Create Roles & Responsibilities Matrix

Phase Gate Approval

Update RAID

Update Leader Board & SharePoint

Participate as necessary to ensure work is produced & performed well

Provide resources for test planning and the development of training materials

Act as escalation point for issues

Set priorities

Evaluate technical solutions

Create technical blueprint

Perform Technical Walkthroughs

Generate Technical Design Specification

Generate Test Plan

Generate training plan

Phase Gate Approval

Update RAID

Update Leader Board & SharePoint

Verify project objectives & deliverables are met

Ensure smooth transition to Operations

Participate in Project Closure Activities

Provide support for 30 day warranty period

Solicit formal Project Acceptance from Business Owner

Document Lessons Learned

Conduct Project Evaluation

Ensure smooth transition to operations

Complete project recognitions

Complete Phase Gate Approval

Archive all relevant project artifacts on SharePoint

Close project in Leader Board

Develop, upgrade, and/or install product

Conduct code reviews

Unit test code

Create system documentation

Continue development of Test Plan

Continue development of training plan

Phase Gate Approval

Update RAID

Update Leader Board & SharePoint

Provide resources for User Acceptance Testing (UAT)

Act as escalation point for issues

Set priorities

Execute Test Plan

Track and remediate issues found during test

Obtain user approval for UAT

Prepare environments for deployment

Generate Support Plan

Phase Gate Approval

Update RAID

Update Leader Board & SharePoint

Execute Training Plan

Place system into production

Provide user support

Phase Gate Approval

Update RAID

Update Leader Board & SharePoint

Ensure resources are available to receive training

Provide the resources necessary to

Act as escalation point for issues

Set priorities

Bus

ines

s O

wne

rP

roje

ct T

eam

Project Management Framework and SDLC

22

Change Management Process Flow

1. The Business or IT initiates a project that requires a change to a CCi production environment

2. IT associate creates an online Production Migration Request

3. Testing is completed and approval signature is entered on the Production Migration Request form 4. The Business Owner

(director or above) enters approval signature on the Production Migration Request form

7. The CCB reviews each migration request for approval

8. IT Associate ensure migration is complete and updates status both on SharePoint and the Production Migration Request form

5. The IT Owner (director or above) enters approval signature on the Production Migration Request form

Approved

6. IT associate ensures form is complete and all signatures are in place by 12pm PDT on Monday

… and ARCHITECTURAL PRINCIPALS How we build our systems

• We will provide an efficient and effective IT platform that supports and enables the objectives of the business, at the best possible cost.

• Total Cost of Ownership (TCO) Perspective. ▫ Cost matters▫ Right sized solutions at an appropriate cost level ▫ Tiered solution options (low, med, high)

• Our approach▫ Build, buy, assemble and/or provision (SaaS/ASP):

Conduct analysis for all new applications, infrastructure or services. Approach selected is based on a build/buy/provisions selection matrix

▫ Reuse or extend what we have first (technologies, infrastructure & applications)

▫ Design for simplicity ▫ Adoption of package solutions with strict limits on acceptable customization.

Products will be off the shelf, vendor supported packages with minimal customization

• Our solutions will: ▫ Incorporate appropriate security▫ Adhere to published technology standards ▫ Include proactive monitoring & management ▫ Embrace open standards and non proprietary approaches/solutions▫ Incorporate appropriate levels of scalability & redundancy

• All inbound and outbound data exchanges will be via the IT Partner Gateway• Solutions must address both the US and Canada. 24

Guiding IT Architectural Principals

Guiding IT Architectural Principals

Build Buy SaaS Hybrid•Core competency of

the company

•Solution/functionality provides competitive advantage

•Technical expertise available

•Transactional and custom to the business (ordering, manufacturing)

•Functionality is available to purchase (COTS)

•Vendor packages provide necessary capability

•Time to market is key

•Solution type: •Payroll•GL/Finance•HR•Operating systems•Email•Security tools•Analytical/Reporting•Productivity Tools•Collaboration Tools•Non – transaction

(ie Altiris)•WAN/LAN•LMS•Student Admin.

• Time to market• Non critical• Data is not

sensitive or private

• Need to segregate from internal operations (eg student email)

• Limited internal expertise

• High volume

• Cannot easily be supported by internal infrastructure

• Outsourcing opportunity

• Competitive advantage can be accomplished with tight integration to package solutions or back office systems:

•E-commerce•Portals•ERP•Websites• intranets

25

Oversight and Metrics

• Oversight ▫ Steering Committees that

approve and prioritize IT investment

▫ Ensure alignment ▫ Ensure appropriate

resources and roles/responsibilities

▫ Escalation and issue resolution

▫ Visibility

• Metrics and KPIs▫ Project Delivery▫ Resource Allocation▫ ROI measurements▫ Throughput

• Availability and SLA’s

27

FY10 Project Metrics FY10 Q3 YTD

0

2

4

6

8

10

12

14

16

18

Finance Campus Ops

IT HR Marketing Online Real Estate Operations Purchasing

6 57

14 3 3

1

6

21

2

3

5

62

51

1

Completed Projects, Small Enhancements, and Quick Wins by Function

Project Small Enhancement Quick Win

BusinessStrategy

Business Initiatives

IT Initiative Request

Portfolio AssessmentCriteria

Application Lifecycle

Phase

Investment Decision

Update Application/Initiative Portfolio

RepeatProcess

Project Reporting

•Executive Committee•Plan•Prioritize

•Project Life-cycle Cost•Return on Investment•Payback Period

•Invest•Reduce/Maintain•Retire•Replace

•Align with Business Objective•Business Case•Benefit Value versus Risk

•Value•Efficiency•Cost•Risk

•Profitable Growth•Best-in-class Op-ex/working capital•Customer Loyalty•Attract//retain best-in-class assoc Re-architecture Plan

Technical Standards

GOVERNANCE – ITERATIVE PROCESS