|
Business Accent
Implementing IT governance
IT planning and implementation need to be given the same
importance as other business decisions at the highest level.
IT governance greatly impacts an organisation’s ability to achieve its
objectives. IT governance relates to IT practices of boards and senior managers.
The question is whether IT structures, processes, relational mechanisms and
IT decisions are made in the interest of shareholders and other stakeholders,
or primarily in executives’ interests. Currently, many enterprises are
implementing IT governance structures, processes and relational mechanisms to
achieve a better fusion of business and IT. A crucial question is how well are
they doing? In other words, how does the implemented IT governance practices
fare?
IT governance issues
IT governance is increasingly gaining attention in the business and IT arena.
IT governance can be defined as the organisational capacity exercised by the
board, executive and IT management to control the formulation and implementation
of IT strategy and ensure the fusion of business and IT. It is indicated that
IT management is also involved in the governance process. However, a clear difference
must be made between IT governance and IT management. IT management is focussed
on the daily effective and efficient supply of IT services and operations. IT
governance, in turn, is much broader and concentrates on performing and transforming
IT to meet present and future demands of the business and customers. To implement
IT governance in practice, an IT governance framework can be deployed consisting
of a mixture of various structures, processes and relational mechanisms.
When designing IT governance, it is important to recognise that it is contingent
upon a variety of sometimes conflicting internal and external factors. Therefore,
determining the right mechanisms is a complex endeavour and what works for one
company does not necessarily work for another, even if they work in the same
sector. Summing up, IT governance is concerned with objectives that focus on
alignment of IT with business, value and benefits of IT, management of risks
associated with IT and performance measures for IT services.
The road map to IT governance
The road map represents a project that can be fairly large and which requires
strict project management practices and thorough management involvement and
oversight. The road map is a first pass for implementing IT governance requirements.
The road map is a kind of “bootstrap” for IT governance, after which,
the enterprise should move into a continuous IT governance cycle, reusing the
elements of the road map as required.
Phase 1 - Identify needs (Steps 1-4)
The following are required in the start-up phase of an IT governance implementation
project:
- Understand the background of the IT governance
initiative, set measurable business objectives for the IT governance implementation
project, raise awareness and define a proper project organisation.
- Understand the business objectives and how they
translate into IT objectives.
- Understand the potential risks and how they could
affect IT goals.
- Decide upon the scope of the improvement project,
and identify the IT processes to be implemented or improved.
Phase 2 –
Envision a solution (Steps 5-7)
The current maturity of the selected IT processes (as-is) must be assessed and
the appropriate target maturity levels (to-be) are to be set.
Phase 3 – Plan the solution (Step 8-9)
The third phase of the road map identifies feasible improvement initiatives
and translates them into justifiable projects. After approval, these projects
should be integrated into an overall improvement strategy with a detailed plan
to roll out the solution.
Phase 4 – Implement the solution (Steps 10–12)
As the improvement plan rolls out, the sustainability of delivery is guaranteed
by the feedback provided by the post-implementation review and the monitoring
of improvements on the corporate and IT balanced scorecards.
The IT balanced scorecard is an important mechanism for managing
and aligning IT. Therefore, step 11 of the implementation road map refers to
the establishment of an IT balanced scorecard. Balanced scorecard (BS) concepts
have been applied to the IT function and its processes.
Balanced scorecard approach
The use of the BS has become widespread as a performance
measurement and management system. The fundamental premise of the BS approach
on the enterprise level is that the evaluation of a firm should not be restricted
to a traditional financial evaluation, but should be supplemented with measures
concerning customer satisfaction, internal processes learning and growth. Results
achieved within these additional perspectives should assure future financial
results and drive the organisation toward its strategic goals while keeping
all four perspectives in balance. For this balanced measurement framework, Kaplan
and Norton proposed a three-layer structure for each of the four perspectives:
mission, objectives, and measures from which targets are to be set and initiatives
are to be launched to reach a better rate. To leverage the scorecard as a management
instrument, it should be enhanced with cause-and-effect relationships among
measures. Two types of measures articulate these relationships: outcome measures
and performance drivers. A well-developed scorecard should contain a good mix
of these two metrics. Outcome measures without performance drivers do not communicate
how they are to be achieved. Performance drivers without outcome measures may
lead to significant investment without a measurement indicating whether the
chosen strategy is effective.
Balanced scorecards translate strategy into action to achieve
goals with a performance measurement system that goes beyond conventional accounting,
by measuring those relationships and knowledge-based assets necessary to compete
in the information age: customer focus, process efficiency and the ability to
learn and grow. At the heart of these scorecards is management information supplied
by IT infrastructure. IT also enables and sustains solutions for the actual
goals set in the financial (enterprise resource management), customer (customer
relationship management), process (intranet and workflow tools) and learning
(knowledge management) dimensions of the scorecard.
Because of its criticality, IT needs its own scorecard. Defining clear goals
and good measures that unequivocally reflect the business impact of IT goals
is a challenge and needs to be resolved in cooperation with the different governance
layers in the enterprise. The linkage between the business balanced scorecard
and the IT balanced scorecard is a strong method of alignment. Many of the outcome
measures of IT influence how well the enterprise is doing and, therefore, are
performance measures for the enterprise. It is equally vital to stress that
the balanced scorecard should demonstrate the value that IT delivers to the
enterprise.
Developing IT governance
By using the balanced scorecard to its full extent enables IT management and
the board to achieve their objectives. The BS is not only a performance management
system but also, at the same time, a management system where causal relationships
between metrics are properly implemented.
The ultimate goal of development and implementation of an IT governance process
is to attain the fusion of business and IT and, consequently, achieve better
financial results. Therefore, it is logical that the IT governance BS starts
with a corporate contribution perspective. The other three perspectives have
a causal relationship with corporate contribution and, amongst each other, cause-and-
effect relationships. Overall, completed IT governance education (future orientation)
may enhance the level of IT/business planning (operational excellence), which
in turn may improve stakeholders’ satisfaction (stakeholders orientation)
and have a positive effect on the strategic match of major IT projects (corporate
contribution).
Metrics for IT governance
The corporate contribution dimension evaluates the performance of the IT governance
process. A well-balanced IT governance process must enhance business profit
through IT while mitigating the risk related to IT (mission). The key issues
are strategic alignment, value delivery and risk management. These three are
seen by the IT Governance Institute as the main concerns of IT governance. The
main measurement challenge is within the area of strategic alignment. Strategic
match of major IT projects, percentage of development capacity engaged in strategic
project and percentage of business goals supported by IT goals are specific
alignment concerns.
In the value delivery area, “business unit performance measurement”
refers to the business results of the individual lines of business. Indeed,
the ultimate responsibility for achieving and measuring the business value rests
with business units. Alternative metrics for value delivery assessment are the
traditional financial evaluations, such as the return on investment (ROI), net
present value (NPV), internal rate of return (IRR) and payback period (PB).
A major concern for senior management is the level of IT costs and their recovery,
respectively measured through ratio of IT costs/total turnover and percentage
of IT costs charged back to the business. Regarding the risk management objective,
a high level of security and disaster recovery should be attained, measured
by the number of implemented IT security initiatives and security breaches and
the attainment of disaster recovery plans. The audit performance is measured
through a number of IT audits performed and reported shortcomings.
The stakeholder perspective evaluates the IT governance process from the stakeholders’
viewpoint including the board of directors, CEO and executive management, CIO
and IT management, business and IT users, customers, shareholders and community.
It is important to point out that the scope of this stakeholder’s perspective
is much broader than the customer perspective as described in the IT balanced
scorecard. The broader scope is derived from the board scorecard. In relation
to stakeholders’ satisfaction, the scores on satisfaction surveys (stakeholders’
satisfaction survey on fixed times) for the aforementioned categories of stakeholders
can be used. This can also be applied to the number of complaints of stakeholders.
An overall specific metric for business users is the index of availability of
systems and applications.
The management of stakeholders’ needs is assessed through a set of performance
metrics, including measurements for the various stakeholder groups (number of
meetings with stakeholders), more specific measurement for the board and CEO
(clear communication in place with CEO/board members and index of CEO/board
involvement in new and major IT initiatives), and specific measurements for
business users (number of major IT projects within SLA). Service level agreements
(SLAs)are an important governance instrument for enforcing levels of IT service
that are acceptable by users and attainable by their IT department and/or external
providers. The third objective within the stakeholder’s perspective is
legal and ethical compliance.
The operational excellence perspective identifies the key IT governance practices—structures
and processes—to be implemented and their corresponding metrics. Structures
refer to the existence of responsible functions and committees, and processes
refer to decision-making and monitoring. The operational excellence card gives
a variety of metrics for IT governance structures and processes, including an
overall IT governance maturity measurement. For the structures area, three specific
metrics regarding IT committees are retained: the number of meetings of IT strategy
committee and IT steering committees, the composition of IT committees, and
the overall attendance of IT committees. Taking the criticality of IT into account,
boards should manage IT with commitment and accuracy as they do with other critical
areas, such as audit, compensation and acquisitions. An instrument for achieving
this is an IT strategy committee that supports the board in carrying out its
IT governance duties.
On the other hand, the detailed implementation of the IT/business
strategies is the responsibility of executive management assisted by a variety
of steering committees overseeing major projects and managing priorities. Considering
the importance of the IT strategy committee and the IT steering committee, a
careful and close monitoring through the aforementioned measures. Besides meeting
frequency and attendance, profile and IT literacy should be monitored to ensure
that the right people are members.
The ideal composition of an IT strategy committee is a board member as chairman,
other board members and independent members who are ex-officio representation
of key executives. Whether the CIO or a member of executive management is on
board is an indication of how important IT is considered within the organisation.
The balanced scorecard can be an effective management instrument. The existence
of an IT balanced scorecard and a business balanced scorecard is supportive
in achieving a link between IT and business objectives.
The future orientation scorecard reports on the building
of foundations for governance delivery focussing on relational mechanisms, the
third leg of the IT governance tripod. Understanding of business/IT objectives,
cross-functional business/IT training, and cross-functional business/IT job
rotation are of primordial importance. IT governance structures and processes
may be in place, but when IT and business professionals do not understand each
other and do not share the business/IT-related problems, a successful fusion
between areas will not be achieved. Implementing the right relational mechanisms
is the crucial enabler for better governance structures and processes (operational
excellence perspective), higher stakeholder satisfaction (stakeholders perspective),
and ultimately a higher governance performance (corporate contribution perspective).
Two distinct objectives of the future orientation perspective are skills and
knowledge and IT/business partnership. Within the skills and knowledge area,
the cross-functional education and training metrics are predominant: number
and level of cross-functional business/IT training sessions, number of overall
IT governance training sessions, and percentage of completed IT governance education
per skill type. Level and use of the IT governance knowledge management system
refers to an intranet that all employees can access for seeking and sharing
knowledge on the IT governance practices with the organisation.
Currently, many organisations are introducing and implementing IT governance
processes. Using the proposed generic IT governance BS may help them to realise
a successful implementation.
Improving IT governance performance is the main reason for building and implementing
an IT governance scorecard. It must be clear that measuring is not enough; the
scorecard must be implemented as a management system. When the measurements
indicate that there are major problems with risk management (corporate contribution),
a strategy to adequately improve the disaster recovery planning (DRP) can be
adopted.
With an IT governance balanced scorecard, organisations can empower their board,
CEO, CIO, executive management, and business and IT participants by providing
them the information that is needed to act and achieve a better fusion between
business and IT and, consequently, reach better results. In this sense, the
IT governance scorecard can play an important role in an overall program that
should be in place to enhance corporate governance.
The author is a Chartered Accountant, CISA, ISA(ICAI) with
a Diploma in Company Directorship. He is a business consultant and a turnover
expert. He can be reached at singhal111@yahoo.co.in
|
