Governance of the IT Function Chapter 9

Key Learning Objectives Understand the concepts of enterprise governance and IT governance, and the connection between the two Understand the need for IT governance and the potential benefits of good IT governance Recognize the primary domains of IT governance and learn about effective approaches for developing an IT governance framework

Governance of a business enterprise The process of structuring, operating, and controlling the organization With a view to achieving its long term strategic goals, serving the interests of its various stakeholders, and complying with legal and regulatory requirements

IT governance Same as management issues… Resource allocation choices, risk and return trade-offs, and alignment of goals Different in the level of these issues… Overarching and integrated approach, addressing broad themes

Agenda The essentials of enterprise governance The impetus for better IT governance Benefits of effective IT governance The scope and practice of IT governance Designing IT governance: critical success factors and good practices

The essentials of enterprise governance Agency problem Physical separation between the owners of a company and its managers (or agents) provides those managers the opportunity to act in ways that are advantageous to themselves but detrimental to the interests of the owners Conformance (control and monitor) A board of directors intended to oversee organizational strategies, structures, and system on behalf of the shareholders An external auditor who should offer insight into the reliability of the company’s financial statements Sufficient??

Governance is… The process of establishing lines of responsibility, authority, and communications As well as policies, standards, measurement, and internal control mechanisms that guide people in fulfilling their roles and responsibilities Can be implemented by management, through different kind of control systems, to maintain or alter patterns of organizational behaviour

Control system Traditionally (one way) Used to measure critical performance variables Focus on outcome Additional governance mechanisms Value management systems Strengthen and sustain commitment to core organisational values Risk management system Delineate the boundaries between acceptable and unacceptable risks and standards of business conduct Strategic control systems Focus on communicating and implementing the organisation’s strategy, while encouraging debate about that strategy intended to stimulate learning and growth Balance between innovation and control, and ensure the successful achievement of profit goals and strategies

The benefit of good enterprise governance Affect a company’s share price or its cost of raising capital E.g. international start-up companies apply robust governance requirements to go public aboard Private companies and non-profit organizations relies on external resources such as debt-financing or foundation support

Introducing IT governance The purpose Ensure that the resources accorded to an initiative are appropriate for the risk and return anticipated from that initiative and that the initiative aligns with organisational goals Ways to ensure the IT function supports and advances the strategies and objectives of the overall organization Procedures to involve relevant stakeholders in critical IT decision

The impetus for better IT governance Practice of more formally monitoring and measuring the use of IT assets is recent The critical contributions of information and IT to contemporary organizations have focused attention on ways to better manage potential risks and desire returns in this domain Companies seek to establish and improve general governance, risk management, and compliance practices(GRC), attention to the role of IT

The business value of IT A major goal of IT governance: ensure It creates value for the organization Often ill-prepared to explain how IT contribute to strategic value and productivity gains Different levels Measure day-to-day efficiency and effectiveness of IT Help achieve a central aspiration of many companies: greater alignment of IT with the business Facilitating innovation, underpinning new products and services or reaching new customers “decrease cost” and “improve business models” transition Establish procedures and criteria for evaluating, prioritizing and monitoring the major IT investments

Recognition of IT impact No “black box” approaches Involve IT, business customers, and other corporate functions

IT as an enabler of corporate governance and compliance Regulations governing financial accountability, financial risk management and recovery from disaster Disclosure of business information Financial reporting process Data retention Information protection Anti-terrorism

Benefits of effective IT governance Generate better returns for their shareholders than equivalent organizations with ineffective IT governance Cost reduction, improved customer satisfaction, greater security, enhanced alignment between IT and business, revenues, profits, customer retention level

IT-related problems that can be addressed by better IT governance A disconnect between IT strategy and business strategy IT not meeting or supporting compliance requirements High cost of IT with low or unproven return on investment (ROI) Serious IT operational incidents IT service delivery problems Insufficient number of staff Staff with inadequate skills Problems with outsourcers Lack of agility/development problems Problems with document content or knowledge management Inadequate disaster recovery or business continuity measures Electronic archiving or storage problems Security and privacy incidents

The scope and practice of IT governance Elements of a governance system Leadership roles, organizational structures, business processes, standard, and measures of compliance to these standards Involve the whole organization Aim Shape decisions concerning IT use in the organisation Determine criteria by which to assess conformance to these decisions Define mechanisms by which these decisions can be communicated, implemented, and enforced throughout the organization

IT-business alignment IT strategy to be developed in parallel with business strategy, rather than in response to it IT steering committee/IT strategy committee Both IT and business executives

Investment Value Define processes to ensure the involvement of all relevant stakeholders, including IT manager, business unit leaders, functional representative, and the board The board may be directed to review IT budgets and plans on a regular basis Define standard procedure for determining the business worth and risk of IT-enabled business investments

Project delivery Determining responsibilities sand accountability together with accompanying processes, standards, and measures to ensure that projects conform to architectural standards, meet business objectives, and deliver on their promised benefits in a cost-effective manner Define standard project management Identify critical project management skills Establish levels of approval and project milestones to control the disbursement of funding Balance between Reduce project risk by reducing variance in the project implementation process Allows the right amount of flexibility that will yield more effective results

Service delivery Specifying structures, roles, and techniques for managing and controlling IT services Cost transparency mechanisms Service-level agreement

Resource management How IT assets and resources, including staff, are utilized Define structure, criteria, and processes for making decisions regarding the outsourcing of particular skills, technologies, or IT capabilities

Measurement of IT performance Designing and implementing structures and controls for measuring IT performance reliably and in terms that are valuable to the business and external stakeholders Balanced scorecard technique Different dimensions such as achievement of business goals, user satisfaction, operational excellence, and support for learning and growth

Source: eetodorov.com Adapted from Robert S. Kaplan and David P. Norton, “Using the Balanced Scorecard as a Strategic Management System,” Harvard Business Review (January-February 1996): 76.

Risk management IT risks Risk management may involve A lost of service, inappropriate access to confidential or sensitive information, the risk that infrastructure is inadequate to meet the current and future needs of the business in a cost-effective and timely manner Risk management may involve Identifying various possible sources of risk, determining acceptable level of each type of risk, defining metrics for monitoring and measuring each type of risk, instituting internal processes and roles to address unacceptable changes in the level of each type of risk

Designing IT governance: critical success factors and good practices No single best model of IT governance Should account for the size, industry, strategic goals, organizational culture, and local environment of the enterprise End here

Intentional but minimalist design No overly complicated procedures or excessive monitoring and reporting Not meet all possible goals, focus on conflicting goals Board-level leadership Only 12% had implemented board-level oversight mechanisms for IT resources Broad-based executive involvement C-level executives Clear ownership but broad participation The board should be ultimately responsible for all governance Designate an individual/group to be accountable for the design, implementation, and performance of IT governance (e.g. CIO, CEO or CFO)

Enforce execution but accommodate exception Transparent exception handling process Define benefits and target expectation ROI metric is neither feasible nor justified Indicators should be meaningful for both IT and the business, and are linked to business and IT goal Aim for evolution not revolution in implementation Link IT governance to key business objectives, such as cost reduction, innovation, agility, simplification, customer satisfaction, and compliance