Posted: January 24th, 2023

Biotech Company Situational Analysis

Situation: Biotech Company lacks IT Organization Governing bodies lack formal charters: 

  • Create a Charter for the Enterprise Security Committee 
  • Use the guideline outlined below as a reference

  

Don't use plagiarized sources. Get Your Custom Essay on
Biotech Company Situational Analysis
Just from $13/Page
Order Essay

Create a Charter for the Enterprise Security Committee (30 Points); Use the guideline outlined below.

• IT Governance charter document should be in outline format and contain the following sections:

• Governance Entity Name

• Purpose

• Scope/Jurisdiction

• Objectives

• Responsibilities

• Decision Authority

• Membership Chair Person(s) & Members (appointments and rotation)

• Deliverables

• Structure (meeting frequency and location)

• Relationships (Other governing entities)

• Executive Signatures (CEO, CIO, COO, etc.) & Dates

Harrisburg University
ISEM 547

IT Governance

Objectives

What is IT Governance

Key Stakeholders & Respective Concerns

Importance of IT Governance

Benefits of IT Governance

Best Practices

IT Governance Areas (High-level Frameworks)

Governing Entities in an Organization

Defining Charters for Governing Entities

2

IT Governance
3

What is IT Governance?
4
IT Principles (Alignment & Value Delivery)
Data/Information Governance
Application Governance
IT Architecture Governance
IT Financial Governance
Project Portfolio Governance
Infrastructure Governance
Process Governance
Contract & Procurement
Governance
Vendor/Supplier Governance
Service Governance
Security
Risk Management
Audits & Compliance
Continuity
Sustainability
Ethics
Performance
Capabilities
Legal Regulatory
IT Governance
IT Decisions & Outcomes

What is IT Governance?

IT Governance is a subset discipline of Corporate Governance
IT Governance covers the culture, organization, policies, and practices that provide the proper due diligence, controls, oversight, and transparency of IT
Ultimately it is the responsibility of the Board of Directors to ensure that IT is adequately governed
5

What is IT Governance?

IT Governance is not a one-time exercise or something achieved by a mandate or setting of rules.
It requires a commitment from the top of the organization
IT Governance is an ongoing activity that requires a continuous improvement in responses to the fast-changing business and IT environments
IT Governance can be integrated within a wider Enterprise Governance approach, and support the increasing legal and regulatory requirements of Corporate Governance
6

IT Governance Framework (Key Areas)

Data/Information Governance
Application Governance
Architecture Governance
Service Governance
Infrastructure Governance
Vendor/Supplier Governance
Financial Governance
Project & Portfolio Governance
Process Governance
Contracts & Procurements Governance

7

What is IT Governance?
Definitions:
IT Principles are a related set of high-level statements about how IT is used in the business to achieve its goals and objectives.
IT Infrastructure refers to an enterprise’s entire collection of hardware, software, networks, data centers, facilities and related equipment used to develop, test, operate, monitor, manage and/or support business and IT services.
IT Architecture is an organized set of consensus decisions on policies & principles, services & common solutions, standards & guidelines as well as specific vendor products used by IT providers both inside and outside the organization to support business and IT services.
IT Services A set of related functions provided or facilitated by the IT organization in support of one or more business areas. IT technical and professional services enable organizations in the creation, management and optimization of or access to information and business processes.
IT service management (ITSM) refers to the entirety of activities – directed by policies, organized and structured in processes and supporting procedures – that are performed by an organization or part of an organization to plan, design, build, deliver, operate and control IT services offered to customers.
8

IT Governance
Purpose & Importance of IT Governance
9

What is Purpose of IT Governance?
In every organization, IT governance must address eight interrelated IT decisions:
IT Principals & Controls
IT Services
IT Architecture
IT Infrastructure
Business Applications
Data/Information
Cybersecurity
IT Investment & Prioritization
These decisions are critical to the success of the digital enterprise
10

What is Purpose of IT Governance?

IT Governance purpose is to ensure that the proper processes, controls, procedures, polices, legal, and management practices are in place.
Key areas auditor’s look at regarding IT governance:
Alignment (all areas)
Risk Management
IS/IT Management
Financial Management
Vendor/Supplier Management
Data/Information Security
Resource Management
Compliance
11

Importance of IT Governance?

Increased corporate awareness of cyber security and other IT related risks
Validate protection, acquisition, or replacement strategies of IT assets
Improve the management and control of IT activities (indirect or direct impact on business outcomes)
Improve clarity and transparency regarding significant IT decisions
Ensure accountability, ownership, and clarity of responsibilities for IT services, projects, and investments
Promote consistent architecture and utilization of industry standards
Better understanding of the value delivered by IT, both internally and from external suppliers
Cost controls and operational efficiency
Proper management of IT assets and investments
Compliance with internal and external auditors and regulators
12

IT Governance
Stakeholders of IT Governance
13

Stakeholders of IT Governance?

Top level business leaders
Investors and public relations
Internal and external auditors and regulators
Middle level business and IT management
Business partners and suppliers
Shareholders
Customers/Citizens
Auditors

14

Concerns of Stakeholders

Availability, security and continuity of Business and IT services
Costs and measurable returns on investments
Quality and reliability of services
IT inability to respond to business needs
Identification and management of IT related risks to the business
Compliance to legal, regulatory and contractual requirements
Responsiveness and nimbleness to changing conditions
Use and protection of customer data, information, and other corporate computing assets

15

IT Governance
Benefits of IT Governance
16

Benefits of Governance

IT Governance Specialist Development Group (SDG) has outlined some key benefits associated with IT Governance:
Transparency and Accountability
Return on Investment/Stakeholder Value
Enhancement and protection of reputation and image
Improved outcomes regarding key IT governance decisions
17

Benefits of Governance

Enhancement and protection of reputation and image
Improved transparency and outcomes regarding key IT governance decisions
Expansion of Business Opportunities & Partnerships
Performance Improvement
Ensure Compliance (Internal & External)
18

IT Governance
Best Practices of IT Governance
19

Best Practices of IT Governance

An enterprise wide approach should be adopted
Top level commitment backed up by clear accountability is a necessity
An agreed IT Governance and control framework is required

20

Best Practices of IT Governance

Trust needs to be gained for the IT function (in house and/or external)
Stakeholder Management
Establish Process Governance & Assessment Method

21

Process Governance and Assessments?
22

Best Practices of IT Governance

Creating IT Governance Program
Secure executive sponsorship with clear direction, goals, and objectives for establishing an enterprise IT governance program
Establish IT Governance Steering Committee (Cross-functional representation)
Define the strategy for establishing the enterprise IT governance program with CFS (e.g., governing bodies and frameworks, IT policy lifecycle management, risk management, and key IT areas)
Coordinate with key stakeholders to define an executable transition roadmap and timeframes
Establish a deliverables based project plan using a phased approach
Celebrate accomplishments and leverage lessons learned for course corrections and continuous improvement

23

Benefits of Corporate Governance

What key areas should be incorporated into your organization’s IT governance framework?
Has anyone been a part of a IT governing body (e.g., board, committee, workgroup)?
What was the purpose of the IT governing body and what decisions did they make?
Outline some key areas auditor’s look at regarding IT governance?
Why is IT Governance important?
What are some of the key benefits that can be derived from IT Governance?

24
Group Discussion Questions

IT Governance Frameworks
Governing Bodies
25

IT Governance Framework

IT governance framework should have defined governing entities specific to IT domain and governance decision areas
Membership will be based on organizational positions, roles, and subject matter expertise
Purpose, objectives, membership, decision authority, interrelationship, meeting frequency should all be defined in a charter for each governing body
Each governing body should have a designated Chair Person or Coe-Chairs appointed
Charters should be reviewed and signed by executive management
It is not uncommon to have IT managers serve on multiple governing bodies or participate on a needs be bases for matters that cross domain boundaries
Arbitration and final decision authority rests with an executive steering committee or board
IT governance frameworks should be structured to push decisions to the lowest level possible based on the predefined criteria (e.g., thresholds, policy, authority, type, elevation conditions, etc.)
Alignment of IT portfolios and change management processes are vital for effective IT governance frameworks (e.g., services, applications, security, policy, infrastructure, architecture)
26

IT Governance Framework

27
Information Technology Executive Board
Data/Information Committee
Enterprise Security Committee
Architecture & Infrastructure Committee
Enterprise IT Services Committee
Enterprise Application Committee
Business & IT Strategic Plans
IT Portfolios
IT Finance & Budget
IT Contracts & Procurements

Recommending bodies with limited delegated decision authority
Decision Making Body
Senior Executive Team

IT Service Governance Framework?
28

Data Governance Framework?
29

IT Governance Framework – Matrix

30
Governing Entity Purpose Scope/Jurisdiction Responsibilities Decisions Deliverables Membership Inter-Relationship
Business & IT Executive Board        
Data/Information Committee        
Enterprise Application Committee        
Architecture & Infrastructure Committee        
Enterprise Security Committee        
Enterprise IT Services Committee        

IT Governance Matrix

Creating Governance Entity Charters

31

What is a Charter ?
A formal document that defines a governing entity granting certain rights, privileges, and authority to monitoring the actions, policies, practices, and decisions of organizations.
Defines its purpose, responsibilities, composition, and mandates its function(s) and lays down rules for its conduct and delegation of authority.
Charters are usually authorized or revoked by corporate executives
32

Charter Elements
Each governance entity within and organization should have a charter document with executive approval
IT Governance charter document contains the following sections:
Governance Entity Name
Purpose
Scope/Jurisdiction
Objectives
Responsibilities
Decision Authority
Membership Chair Person(s) & Members (appointments and rotation)
Deliverables
Structure (meeting frequency and location)
Relationships (Other governing entities)
Executive Signatures (CEO, CIO, COO, etc.) & Dates
Version Control
The organization who is responsible for policy lifecycle management usually facilitate the creation and maintenance of the IT Governance Charters
33

Benefits of Corporate Governance

What happens when there is a lack of collaboration and synergy between these governing entities?
Why is it important to have a governance matrix and charters defined for your IT governance framework?

34
Group Discussion

Assignments
Chapter 8 (IT Managers Handbook)
Homework 3: Corporate & IT Governance Frameworks
Project 2:
Part A: Create an IT Governance Matrix
Part B: Create a Governance Charter for Enterprise Security Committee
Part C: Write a Information Security Policy for Data Classifications

35

Harrisburg University
ISEM 547

Governance Overview & Corporate Governance

Objectives

Components of Governance

What is Corporate Governance

Good Governance & Best Practices

2

What is Governance?
3

What is Governance ?

Governance incorporates all the guiding principles, codes of conduct, regulations, processes, procedures, and polices that coordinate and control an organization’s resources and actions
Governance frameworks often take the form of councils, boards, and committees that ensure accountability and compliance.
4

Key components of Governance Framework
5

Components of Governance Frameworks

Governing Bodies: these are entities established within the organization for the creation, execution, and management of governance (Boards, Committees, Councils, Workgroup);
Board: is a group of people who have the oversight, power, and authority to decide and control the workings of and organization. They are more strategic, set the direction, and can delegate its functions and authority to a committee.
Committees: are usually subgroups created and sanctioned by the board to carry out much of the detail work for specific purposes with formal charter and protocols. Committee members are usually assigned due to their expertise and/or have a vested interest.
Council: an official government body with the power to make and/or enforce laws to control a country, land area, people or organization. Note: legal council is often consulted regarding IT matters.
Workgroup: is a ad hoc group of subject-matter experts of individuals assembled to work together on a common goal or task. Often formed to work with committees on specific initiatives for a limited time period then disbanded when the task has been completed.
Organizations usually has a mix of business and IT related governing entities.
6

Components of Governance Frameworks

Policy: are principles, rules, and protocols formulated or adopted by an organization to govern its actions.
Procedures are specific instructions to be used to implement policy requirements in a specific way; they are enforceable through the policy
Guidelines are general rules, practices, and/or instructions that can be referenced to comply with policy; they are not enforceable but recommended as best practices that should be followed
Policies should have a formal lifecycle and change management process
7

Components of Governance Frameworks

Standards: refer to something that is considered by an authority or by general consent as a basis of comparison (e.g., industry, protocols, academic, etc.)
Metric: is a quantifiable measure that is used to track and assess the status of a specific process, system, or entity. Metrics can be used to determine status, effectiveness or compliance (e.g., governing bodies, policies, processes, procedures, systems, components, etc.)

8

Components of Governance Frameworks

Enterprise Risk Management: Risk management is the identification, assessment, and prioritization of risks to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Training: is an effective mechanism used for stakeholder awareness regarding governing bodies and policies are important to inform and educate stakeholders
Communications: define communication strategies and plans for stakeholders when instituting new or making changes to existing governance frameworks within the organization.
9

IT Governance Frameworks
Governance Pro
10

Good Governance
Governance Pro
11

Characteristics of Good Governance

Good governance has eight major characteristics: participatory, consensus oriented, accountable, transparent, responsive, effective and efficient, equitable and inclusive, and follows the rule of law.
Rule of Law requires fair legal frameworks that are enforced by an impartial regulatory body, for the full protection of stakeholders.
Transparency means that information should be provided in easily understandable forms and media, freely available and directly accessible
Governance Pro
12

Characteristics of Good Governance

Responsiveness requires that organizations and their processes are designed to serve the best interests of stakeholders within a reasonable timeframe
Consensus Oriented requires consultation to understand and best serve the different interests of all stakeholders affected by the policy.
Equity and Inclusiveness the organization that provides the opportunity and mechanisms for its stakeholders to improve their well-being
Effectiveness and Efficiency means that the processes implemented by the organization to produce favorable results and meet the needs of its stakeholders
Governance Pro
13

Characteristics of Good Governance
Accountability is a key tenet of good governance. Who is accountable for what should be documented in policy statements.
Participation inclusion of both men and women, either directly or through legitimate representatives, is a key cornerstone of good governance.
Governance Pro
14

Corporate Governance
MIT Sloan School Center for Information Systems Research (CISR)
15

Senior Executive Team
Strategy
Desired Behaviors & Outcomes
Board of Directors
Governance Committees & Workgroups
Key Corporate Assets
Human Assets
Financial Assets
Physical Assets
Data/Information & IT Assets
Brand Reputation
Relationship Assets
IP Assets
Key Asset Governance
Legal & Regulatory
Shareholders
Other Stakeholders
Risk Management Policies & Procedures Audits & Compliance
Standards Organizations
IT Governance

What is Corporate Governance ?

Corporate governance is the system of rules, practices and processes by which a company is directed and controlled
Is a framework of values, rules, policies, and practices by which the Board of Directors (BOD) ensures accountability, fairness, and transparency in a company.
Corporate governance involves balancing the many interests of the stakeholders of a corporation and the protection of corporate assets

16

What is Corporate Governance ?
Corporate Governance Framework
Corporate BOD via senior executive team authorizes the establishment and provides oversite of governing bodies that align with corporate strategy and drive desired behaviors and outcomes
Governance committees and workgroups are the workhorse of the corporate governance framework
IT Governance is a subset of Corporate Governance

17

What is Corporate Governance ?
Corporate Governance Framework – Assets
Human Assets
Financial Assets
Physical Assets
Brand-Reputation Asset
IP Assets
Relationship
Data/Information & IT Assets
18

Benefits of Corporate Governance

Legal compliance
Improves Company Reputation
Establishes oversight, transparency, accountability, and controls in place that are in best interest of the company
Shareholder Wealth Creation
Decrease conflicts and fraud
Fewer Fines, Penalties, & Lawsuits
Increase competitiveness and higher market valuation

19

Benefits of Corporate Governance

What are the governing bodies associated with corporate governance?
Has anyone been a part of a corporate governing body (e.g., board, committee, workgroup)? Do you feel corporate policies are effective?
What was the purpose of the governing body and what decisions did they make?
What are the characteristics of good governance?
What assets are to be protected through corporate governance?
Where is IT Governance in relationship to corporate governance?

20
Group Discussion Questions

Assignments
Chapter 8 (IT Managers Handbook)
Homework 3: Corporate & IT Governance Frameworks
Project 2:
Part A: Create an IT Governance Matrix
Part B: Create a Governance Charter for Enterprise Security Committee
Part C: Write a Information Security Policy for Data Classifications

21


THE UK’S LEADING PROVIDER OF EXPERT SERVICES FOR IT PROFESSIONALS
NATIONAL COMPUTING CENTRE
IT Governance
Developing a successful governance strategy
A Best Practice guide for decision makers in IT

IT Governance
Developing a successful governance strategy
A Best Practice guide for decision makers in IT
The effective use of information technology is now an accepted organisational imperative – for
all businesses, across all sectors – and the primary motivation; improved communications and
commercial effectiveness. The swift pace of change in these technologies has consigned many
established best practice approaches to the past. Today’s IT decision makers and business
managers face uncertainty – characterised by a lack of relevant, practical, advice and standards
to guide them through this new business revolution.
Recognising the lack of available best practice guidance, the National Computing Centre has
created the Best Practice Series to capture and define best practice across the key aspects of
successful business.
Other Titles in the NCC Best Practice series:
IT Skills – Recruitment and Retention ISBN 0-85012-867-6
The New UK Data Protection Law ISBN 0-85012-868-4
Open Source – the UK opportunity ISBN 0-85012-874-9
Intellectual Property Rights – protecting your intellectual assets ISBN 0-85012-872-2
Aligning IT with Business Strategy ISBN 0-85012-889-7
Enterprise Architecture – understanding the bigger picture ISBN 0-85012-884-6
IT Governance – developing a successful governance strategy ISBN 0-85012-897-8
Security Management – implementing ISO 27000 ISBN 0-85012-885-4
All title are available from NCC see the website for further details www.ncc.co.uk
The National Computing Centre – generating best practice

1
IT Governance
Developing a Successful
Governance Strategy
A Best Practice Guide for Decision Makers in IT

IT Governance Developing a Successful Governance Strategy
2 3
Foreword
For organisational investment in IT to deliver full value, it is recognised that IT has to be fully aligned to business strategies
and direction, key risks have to be identified and controlled, and legislative and regulatory compliance demonstrated. IT
Governance covers this and more, and in light of recent corporate failures, scandals and failure, enjoys a higher profile today
than ever before.
Back in 2003, IMPACT launched an IT Governance Specialist Development Group (SDG) to identify the issues that need to be
addressed and to share and further develop the practical approaches to IT governance used in their organisations.
Over the past two years, heads of IT governance from Abbey, Aon, Avis, Barclays, BOC, DfES, Eli Lilly, Learning & Skills
Council, Legal & General, NOMS, Royal Mail and TUI Group have examined what they identified as the key topics and, with
the guidance of IT governance expert Gary Hardy, have defined the good practices captured in this guide.
For further information on the IMPACT Programme, its Professional Development Programme and the IT Governance and
CobiT Specialist Development Group, please contact Elisabetta Bucciarelli on 0207 842 7900 or email elisabetta.bucciarelli@
impact-sharing.com. The IMPACT Programme is a division of the National Computing Centre.
The IMPACT Programme
International Press Centre
76 Shoe Lane
London EC4A 3JB
IT Governance
Developing a successful governance strategy
A Best Practice Guide for decision makers in IT
Published by
The National Computing Centre
Oxford House
Oxford Road
Manchester
M1 7ED
Website: www.ncc.co.uk
Tel: 0161 242 2121
Fax: 0161 242 2499
First published November 2005
Copyright © National Computing Centre 2005
ISBN: 0-85012-877-8
British Cataloguing in Publication
A CIP catalogue record for this book is available from the British Library
Printed and bound in the UK
All rights reserved: no part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording or otherwise without either the prior written permission of the authors and Publisher or as
permitted by the Copyright, Designs and Patents Act 1988. Enquiries for such permissions should be made to the Publisher.
Disclaimer
Every care has been taken by the authors, and by the National Computing Centre, and associated working groups, in the preparation of this
publication, but no liability whatsoever can be accepted by the authors or by National Computing Centre, or associated NCC working groups,
for actions taken based on information contained in this document.
All trademarks acknowledged.

IT Governance Developing a Successful Governance Strategy
2 3
1 IT Governance – The Business Case . . . . . . . . . . . 4
1 . 1 W h y i s I T G o v e r n a n c e i m p o r t a n t ? . . . . . . . . . . 5
1 . 2 W h a t d o e s I T G o v e r n a n c e c o v e r ? . . . . . . . . . . 6
1 . 3 W h a t a r e t h e b e n e f i t s ? . . . . . . . . . . . . . . . . . 6
1 . 4 W h a t i s I T G o v e r n a n c e b e s t p r a c t i c e ? . . . . . . . 7
2 Performance Measurement . . . . . . . . . . . . . . . . . . 9
2 . 1 W h y i s p e r f o r m a n c e m e a s u r e m e n t i m p o r t a n t ? . 9
2 . 2 W h a t d o e s p e r f o r m a n c e m e a s u r e m e n t c o v e r ? . 1 0
2 . 3 W h o a r e t h e s t a k e h o l d e r s a n d w h a t a r e
t h e i r r e q u i r e m e n t s ? . . . . . . . . . . . . . . . . . . . . 11
2 . 4 W h a t s h o u l d w e m e a s u r e ? . . . . . . . . . . . . . . . 1 2
2 . 5 W h a t i s b e s t p r a c t i c e ? . . . . . . . . . . . . . . . . . . 1 2
3 Implementation Roadmap . . . . . . . . . . . . . . . . . . . 1 4
3 . 1 G o a l s a n d s u c c e s s c r i t e r i a . . . . . . . . . . . . . . . 1 4
3 . 2 H o w t o g e t s t a r t e d . . . . . . . . . . . . . . . . . . . . 1 5
3 . 3 W h o n e e d s t o b e i n v o l v e d a n d w h a t a r e t h e i r
r o l e s a n d r e s p o n s i b i l i t i e s ? . . . . . . . . . . . . . . . 1 6
4 Communication Strategy & Culture . . . . . . . . . . . . . 1 8
4 . 1 W h o d o w e n e e d t o i n f l u e n c e ? . . . . . . . . . . . . 1 8
4 . 2 W h a t a r e t h e k e y m e s s a g e s ? . . . . . . . . . . . . . 1 9
4 . 3 C o m m u n i c a t i o n b e s t p r a c t i c e s . . . . . . . . . . . . 2 0
4 . 4 D e v e l o p i n g a n i n f l u e n c i n g s t r a t e g y . . . . . . . . . 2 0
4 . 5 C h a n g e r o a d m a p . . . . . . . . . . . . . . . . . . . . . 2 2
5 Capability Maturity & Assessment . . . . . . . . . . . . . . 2 3
5 . 1 W h y I T c a p a b i l i t y i s i m p o r t a n t . . . . . . . . . . . . 2 3
5 . 2 H o w t o m e a s u r e I T c a p a b i l i t y . . . . . . . . . . . . . 2 4
5 . 3 S e t t i n g m a t u r i t y t a r g e t s a n d c o n s i d e r i n g
i m p r o v e m e n t s . . . . . . . . . . . . . . . . . . . . . . . . 2 5
5 . 4 R o a d m a p f o r s u s t a i n i n g t h e a p p r o a c h . . . . . . . 2 5
5 . 5 S e l f a s s e s s m e n t t o o l . . . . . . . . . . . . . . . . . . . 2 6
6 Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . 2 8
6 . 1 W h a t a r e t h e r i s k s ? . . . . . . . . . . . . . . . . . . . . 2 8
6 . 2 W h a t i s t h e b e s t a p p r o a c h f o r r i s k a n a l y s i s
a n d m a n a g e m e n t ? . . . . . . . . . . . . . . . . . . . . 2 9
6 . 3 U s i n g s t a n d a r d s a n d b e s t p r a c t i c e s –
i s c e r t i f i c a t i o n u s e f u l ? . . . . . . . . . . . . . . . . . . 3 0
6 . 4 W h a t a r e t h e r o l e s o f m a n a g e m e n t , s t a f f
a n d a u d i t o r s ? . . . . . . . . . . . . . . . . . . . . . . . . 3 1
6 . 5 W h o n e e d s t o b e c o m p e t e n t ? . . . . . . . . . . . . . 3 1
6 . 6 W h a t c o m p e t e n c e i s r e q u i r e d ? . . . . . . . . . . . . 3 2
6 . 7 H o w t o o b t a i n , d e v e l o p , r e t a i n a n d v e r i f y
c o m p e t e n c e . . . . . . . . . . . . . . . . . . . . . . . . . 3 3
6 . 8 W h e n t o s o u r c e c o m p e t e n c e f r o m o u t s i d e . . . . 3 5
6 . 9 K e y l e a r n i n g p o i n t s . . . . . . . . . . . . . . . . . . . . 3 5
7 Supplier Governance . . . . . . . . . . . . . . . . . . . . . . . . 3 7
7 . 1 W h y i s s u p p l i e r g o v e r n a n c e i m p o r t a n t ? . . . . . . 3 7
7 . 2 T h e c u s t o m e r ’s r o l e . . . . . . . . . . . . . . . . . . . 3 8
7 . 3 H o w b e s t t o s e l e c t a s u p p l i e r . . . . . . . . . . . . . 4 0
7 . 4 T h e c u s t o m e r / s u p p l i e r r e l a t i o n s h i p . . . . . . . . . 4 0
7 . 5 S e r v i c e m a n a g e m e n t t e c h n i q u e s a n d S L A S . . . 4 1
7 . 6 T h e s u p p l i e r / o u t s o u r c i n g g o v e r n a n c e l i f e c y c l e . 4 2
8 IT & Audit Working Together and Using CobiT . . . . . 4 3
8 . 1 I n t r o d u c t i o n t o C o b i T . . . . . . . . . . . . . . . . . . 4 3
8 . 2 H o w i s C o b i T b e i n g u s e d ? . . . . . . . . . . . . . . . 4 4
8 . 3 W h a t a r e t h e r o l e s o f I T a n d a u d i t f o r
I T G o v e r n a n c e ? . . . . . . . . . . . . . . . . . . . . . . 4 5
8 . 4 H o w c a n I T a n d i n t e r n a l a u d i t w o r k b e t t e r
t o g e t h e r ? . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5
9 Information Security Governance . . . . . . . . . . . . . . 4 8
9 . 1 B a c k g r o u n d . . . . . . . . . . . . . . . . . . . . . . . . . 4 8
9 . 2 W h a t i s i n f o r m a t i o n s e c u r i t y ? . . . . . . . . . . . . . 4 9
9 . 3 W h e r e t o f o c u s . . . . . . . . . . . . . . . . . . . . . . . 5 0
9 . 4 R o l e s a n d r e s p o n s i b i l i t i e s . . . . . . . . . . . . . . . 5 0
9 . 5 A c t i o n p l a n n i n g a n d b e s t p r a c t i c e . . . . . . . . . . 5 2
10 Legal & Regulatory Aspects of IT Governance . . . . . 5 3
1 0 . 1 L e g a l a n d r e g u l a t o r y f a c t o r s a f f e c t i n g
I T G o v e r n a n c e . . . . . . . . . . . . . . . . . . . . . . . 5 3
1 0 . 2 R o l e s a n d r e s p o n s i b i l i t i e s . . . . . . . . . . . . . . . 5 4
1 0 . 3 B e s t a p p r o a c h t o c o m p l i a n c e . . . . . . . . . . . . . 5 5
1 0 . 4 W h a t I T h a s t o d o . . . . . . . . . . . . . . . . . . . . . 5 6
1 0 . 5 D e a l i n g w i t h t h i r d p a r t i e s . . . . . . . . . . . . . . . . 5 8
1 0 . 6 C r i t i c a l s u c c e s s f a c t o r s . . . . . . . . . . . . . . . . . 5 9
11 Architecture Governance . . . . . . . . . . . . . . . . . . . . 6 0
11 . 1 W h y i s a r c h i t e c t u r e g o v e r n a n c e i m p o r t a n t ? . . . 6 0
11 . 2 W h a t a r e t h e o b j e c t i v e s o f a r c h i t e c t u r e
g o v e r n a n c e ? . . . . . . . . . . . . . . . . . . . . . . . . 6 1
12 Managing the IT Investment . . . . . . . . . . . . . . . . . . 6 3
1 2 . 1 W h y i s m a n a g i n g t h e I T i n v e s t m e n t i m p o r t a n t ? 6 3
1 2 . 2 P o r t f o l i o m a n a g e m e n t . . . . . . . . . . . . . . . . . . 6 4
1 2 . 3 B e n e f i t s m a n a g e m e n t . . . . . . . . . . . . . . . . . . 6 5
1 2 . 4 M e a s u r i n g i n v e s t m e n t p e r f o r m a n c e . . . . . . . . 6 5
1 2 . 5 I m p r o v e v a l u e d e l i v e r y a n d R O I . . . . . . . . . . . 6 6
1 2 . 6 M e a s u r i n g a n d c o n t r o l l i n g I T o p e r a t i o n a l c o s t s 6 6
1 2 . 7 P r o j e c t r i s k m a n a g e m e n t . . . . . . . . . . . . . . . . 6 6
13 Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . 6 7
Contents

IT Governance Developing a Successful Governance Strategy
4 5
1 IT Governance – The Business Case
1.1 Why is IT Governance important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
1.2 What does IT Governance cover? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
1.3 What are the benefits? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 What is IT Governance best practice? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
The guide focuses on 12 key topics selected by the group because of their importance to effective IT governance:
T h e b u s i n e s s c a s e – T h e o r g a n i s a t i o n n e e d s t o u n d e r s t a n d t h e v a l u e p r o p o s i t i o n
P e r f o r m a n c e m e a s u r e m e n t – I s t h e s h i p “ o n c o u r s e ” ?
I m p l e m e n t a t i o n r o a d m a p – H o w t o s t a r t – W h a t p a t h t o f o l l o w
C o m m u n i c a t i o n s – H o w t o e x p l a i n t h e o b j e c t i v e s a n d c h a n g e t h e c u l t u r e
C a p a b i l i t y a s s e s s m e n t – F i n d i n g o u t t h e t r u e c u r r e n t s t a t e o f I T g o v e r n a n c e
R i s k m a n a g e m e n t – W h a t r i s k s e x i s t a n d h o w t o m a k e s u r e t h e y a r e d e a l t w i t h
S u p p l i e r g o v e r n a n c e – E x t e r n a l p a r t i e s p l a y a b i g r o l e a n d m u s t b e i n c l u d e d
I T a n d a u d i t w o r k i n g t o g e t h e r – H o w t o c o – o p e r a t e f o r a c o m m o n g o a l
I n f o r m a t i o n s e c u r i t y – A k e y t o p i c i n t o d a y ’s n e t w o r k e d e n v i r o n m e n t
L e g a l a n d r e g u l a t o r y a s p e c t s – C o m p l i a n c e i s a g l o b a l c o n c e r n
A r c h i t e c t u r e s – T h e f o u n d a t i o n f o r e f f e c t i v e t e c h n i c a l s o l u t i o n s
M a n a g i n g i n v e s t m e n t s – E n s u r i n g v a l u e i s d e l i v e r e d a n d b e n e f i t s r e a l i s e d
Implementation of this guidance, or indeed any IT best practice, should be consistent with your organisation’s management
style and the way your organisation deals with risk management and delivery of IT value. Please share these ideas with your
business users, external service providers, and auditors, since to realise their full value, all stakeholders of IT services should
be involved.
All analysts currently agree that probably the biggest risk and concern to top management today is failing to align IT to real
business needs, and a failure to deliver, or be seen to be delivering, value to the business. Since IT can have such a dramatic
effect on business performance and competitiveness, a failure to manage IT effectively can have a very serious impact on the
business as a whole.
Corporate Governance generally has taken on even greater significance. It is being recognised that IT has a pivotal role to play
in improving corporate governance practices, because critical business processes are usually automated and directors rely on
information provided by IT systems for their decision making. With the growth of direct connection between organisations and
their suppliers and customers, and more and more focus on how IT can be used to add value to business strategy, the need
to effectively manage IT resources and avoid IT failures and poor performance has never been greater.
The current climate of cost reduction and budget restriction has resulted in new norm – there is an expectation that IT
resources should always be used as efficiently as possible and that steps are taken to organise these IT resources ready for
the next cycle of growth and new IT developments. A key aspect of these factors is the increasing use of third party service
providers and the need to manage these suppliers properly to avoid costly and damaging service failures.
This briefing provides a high level set of business arguments for IT Governance. It also explains how an IT Governance
initiative can enable business and IT executives to:
B e s u r e t h a t t h a t t h e y a r e a w a r e o f a l l I T r e l a t e d r i s k s l i k e l y t o h a v e a n i m p a c t o n
t h e i r o r g a n i s a t i o n ;
K n o w h o w t o i m p r o v e t h e m a n a g e m e n t p r o c e s s e s w i t h i n I T t o m a n a g e t h e s e r i s k s ;
E n s u r e t h e r e a r e m a n a g e a b l e r e l a t i o n s h i p s w i t h s u p p l i e r s , s e r v i c e p r o v i d e r s a n d
w i t h t h e b u s i n e s s ( c u s t o m e r s ) ;
E n s u r e t h e r e i s a t r a n s p a r e n t a n d u n d e r s t a n d a b l e c o m m u n i c a t i o n o f t h e s e I T
a c t i v i t i e s a n d m a n a g e m e n t p r o c e s s e s t o s a t i s f y t h e B o a r d a n d o t h e r i n t e r e s t e d
s t a k e h o l d e r s .

IT Governance Developing a Successful Governance Strategy
4 5
IT Governance covers the culture, organisation, policies and practices that provide this kind of oversight and transparency of
IT – IT Governance is part of a wider Corporate Governance activity but with its own specific focus. The benefits of good IT
risk management, oversight and clear communication not only reduce the cost and damage caused by IT failures – but also
engenders greater trust, teamwork and confidence in the use of IT itself and the people trusted with IT services.
1.1 Why is IT Governance important?
IT Governance has become very topical for a number of reasons:
I n t h e w a k e o f E n r o n a n d o t h e r c o r p o r a t e s c a n d a l s , “ G o v e r n a n c e ” g e n e r a l l y h a s
t a k e n o n e v e n g r e a t e r s i g n i f i c a n c e . I T h a s a p i v o t a l r o l e t o p l a y i n i m p r o v i n g
c o r p o r a t e g o v e r n a n c e p r a c t i c e s .
M a n a g e m e n t ’s a w a r e n e s s o f I T r e l a t e d r i s k s h a s i n c r e a s e d .
T h e r e i s a f o c u s o n I T c o s t s i n a l l o r g a n i s a t i o n s .
T h e r e i s a g r o w i n g r e a l i s a t i o n t h a t m o r e m a n a g e m e n t c o m m i t m e n t i s n e e d e d t o
i m p r o v e t h e m a n a g e m e n t a n d c o n t r o l o f I T a c t i v i t i e s .
IMPACT’s IT Governance Special Interest Group (SIG) has examined these trends and found that the following issues drive
the need for IT Governance:
T h e r e i s a g e n e r a l l a c k o f a c c o u n t a b i l i t y a n d n o t e n o u g h s h a r e d o w n e r s h i p
a n d c l a r i t y o f r e s p o n s i b i l i t i e s f o r I T s e r v i c e s a n d p r o j e c t s . T h e c o m m u n i c a t i o n
b e t w e e n c u s t o m e r s ( I T u s e r s ) a n d p r o v i d e r s h a s t o i m p r o v e a n d b e b a s e d o n j o i n t
a c c o u n t a b i l i t y f o r I T i n i t i a t i v e s .
T h e r e i s a p o t e n t i a l l y w i d e n i n g g a p b e t w e e n w h a t I T d e p a r t m e n t s t h i n k t h e b u s i n e s s
r e q u i r e s a n d w h a t t h e b u s i n e s s t h i n k s t h e I T d e p a r t m e n t i s a b l e t o d e l i v e r.
O r g a n i s a t i o n s n e e d t o o b t a i n a b e t t e r u n d e r s t a n d i n g o f t h e v a l u e d e l i v e r e d b y I T,
b o t h i n t e r n a l l y a n d f r o m e x t e r n a l s u p p l i e r s . M e a s u r e s a r e r e q u i r e d i n b u s i n e s s ( t h e
c u s t o m e r ’s ) t e r m s t o a c h i e v e t h i s e n d .
To p m a n a g e m e n t w a n t s t o u n d e r s t a n d “ h o w i s m y o r g a n i s a t i o n d o i n g w i t h I T i n
c o m p a r i s o n w i t h o t h e r p e e r g r o u p s ? ”
M a n a g e m e n t n e e d s t o u n d e r s t a n d w h e t h e r t h e i n f r a s t r u c t u r e u n d e r p i n n i n g t o d a y ’s
a n d t o m o r r o w ’s I T ( t e c h n o l o g y, p e o p l e , p r o c e s s e s ) i s c a p a b l e o f s u p p o r t i n g
e x p e c t e d b u s i n e s s n e e d s .
B e c a u s e o r g a n i s a t i o n s a r e r e l y i n g m o r e a n d m o r e o n I T, m a n a g e m e n t n e e d s t o b e
m o r e a w a r e o f c r i t i c a l I T r i s k s a n d w h e t h e r t h e y a r e b e i n g m a n a g e d . F u r t h e r m o r e ,
i f t h e r e i s a l a c k o f c l a r i t y a n d t r a n s p a r e n c y w h e n t a k i n g s i g n i f i c a n t I T d e c i s i o n s ,
t h i s c a n l e a d t o r e l u c t a n c e t o t a k e r i s k s a n d a f a i l u r e t o s e i z e t e c h n o l o g y
o p p o r t u n i t i e s .
A n d f i n a l l y, t h e r e i s a r e a l i s a t i o n t h a t b e c a u s e I T i s c o m p l e x a n d h a s i t s o w n f a s t
c h a n g i n g a n d u n i q u e c o n d i t i o n s , t h e n e e d t o a p p l y s o u n d m a n a g e m e n t d i s c i p l i n e s
a n d c o n t r o l s i s e v e n g r e a t e r.
Stakeholders include:
To p l e v e l b u s i n e s s l e a d e r s s u c h a s t h e B o a r d , E x e c u t i v e , n o n – E x e c s , a n d e s p e c i a l l y
h e a d s o f F i n a n c e , O p e r a t i o n s a n d I T.
T h o s e t h a t h a v e a r e s p o n s i b i l i t y f o r i n v e s t o r a n d p u b l i c r e l a t i o n s .
I n t e r n a l a n d e x t e r n a l a u d i t o r s a n d r e g u l a t o r s .
M i d d l e l e v e l b u s i n e s s a n d I T m a n a g e m e n t .
K e y b u s i n e s s p a r t n e r s a n d s u p p l i e r s .
S h a r e h o l d e r s .
C u s t o m e r s .
Concerns they typically have include:
Av a i l a b i l i t y, s e c u r i t y a n d c o n t i n u i t y o f I T s e r v i c e s .
C o s t s a n d m e a s u r a b l e r e t u r n s o n i n v e s t m e n t s .
Q u a l i t y a n d r e l i a b i l i t y o f s e r v i c e – n o e m b a r r a s s m e n t s .
I T n o t a p p e a r i n g t o r e s p o n d t o t h e r e a l n e e d s o f t h e b u s i n e s s .
I d e n t i f i c a t i o n a n d m a n a g e m e n t o f I T r e l a t e d r i s k s t o t h e b u s i n e s s .
IT Governance – The Business Case1

IT Governance Developing a Successful Governance Strategy
6 7
C a p a b i l i t y a n d s k i l l s o f h u m a n r e s o u r c e s .
C o m p l i a n c e t o l e g a l , r e g u l a t o r y a n d c o n t r a c t u a l r e q u i r e m e n t s .
R e s p o n s i v e n e s s a n d n i m b l e n e s s t o c h a n g i n g c o n d i t i o n s .
1.2 What does IT Governance cover?
IT Governance is a relatively new concept as a defined discipline and is still evolving.
IT Governance is not just an IT issue or only of interest to the IT function. In its broadest sense it is a part of the overall
governance of an entity, but with a specific focus on improving the management and control of Information Technology for the
benefit of the primary stakeholders. Ultimately it is the responsibility of the Board of Directors to ensure that IT along with other
critical activities is adequately governed. Although the principles are not new, actual implementation requires new thinking
because of the special nature of IT.
IT Governance spans the culture, organisation, policy and practices that provide for IT management and control across
five key areas1:
A l i g n m e n t – P r o v i d e f o r s t r a t e g i c d i r e c t i o n o f I T a n d t h e a l i g n m e n t o f I T a n d t h e
b u s i n e s s w i t h r e s p e c t t o s e r v i c e s a n d p r o j e c t s .
Va l u e D e l i ve r y – C o n f i r m t h a t t h e I T / B u s i n e s s o r g a n i s a t i o n i s d e s i g n e d t o
d r i v e m a x i m u m b u s i n e s s v a l u e f r o m I T. O v e r s e e t h e d e l i v e r y o f v a l u e b y I T t o t h e
b u s i n e s s , a n d a s s e s s R O I .
R i s k M a n a ge m e n t – A s c e r t a i n t h a t p r o c e s s e s a r e i n p l a c e t o e n s u r e t h a t r i s k s
h a v e b e e n a d e q u a t e l y m a n a g e d . I n c l u d e a s s e s s m e n t o f t h e r i s k a s p e c t s o f I T
i n v e s t m e n t s .
Re s o u r c e M a n a ge m e n t – P r o v i d e h i g h – l e v e l d i r e c t i o n f o r s o u r c i n g a n d u s e o f I T
r e s o u r c e s . O v e r s e e t h e a g g r e g a t e f u n d i n g o f I T a t e n t e r p r i s e l e v e l . E n s u r e t h e r e i s
a n a d e q u a t e I T c a p a b i l i t y a n d i n f r a s t r u c t u r e t o s u p p o r t c u r r e n t a n d e x p e c t e d f u t u r e
b u s i n e s s r e q u i r e m e n t s .
Pe r fo r m a n c e M e a s u r e m e n t – Ve r i f y s t r a t e g i c c o m p l i a n c e , i . e . a c h i e v e m e n t
o f s t r a t e g i c I T o b j e c t i v e s . R e v i e w t h e m e a s u r e m e n t o f I T p e r f o r m a n c e a n d t h e
c o n t r i b u t i o n o f I T t o t h e b u s i n e s s ( i . e . d e l i v e r y o f p r o m i s e d b u s i n e s s v a l u e ) .
IT Governance is not a one-time exercise or something achieved by a mandate or setting of rules. It requires a commitment
from the top of the organisation to instil a better way of dealing with the management and control of IT. IT Governance is an
ongoing activity that requires a continuous improvement mentality and responsiveness to the fast changing IT environment.
IT Governance can be integrated within a wider Enterprise Governance approach, and support the increasing legal and
regulatory requirements of Corporate Governance.
1.3 What are the benefits?
Investments are likely to be needed to improve and develop the IT Governance areas that need attention. It is important
therefore, to begin with as good a definition as possible of the potential benefits from such an initiative to help build a viable
business case. The expected benefits can then become the project success criteria and be subsequently monitored.
The IMPACT IT Governance SIG has identified the following main areas of benefit likely to arise from good IT Governance:
Transparency and Accountability
I m p r o v e d t r a n s p a r e n c y o f I T c o s t s , I T p r o c e s s , I T p o r t f o l i o ( p r o j e c t s a n d s e r v i c e s ) .
C l a r i f i e d d e c i s i o n – m a k i n g a c c o u n t a b i l i t i e s a n d d e f i n i t i o n o f u s e r a n d p r o v i d e r
r e l a t i o n s h i p s .
Return on Investment/Stakeholder Value
I m p r o v e d u n d e r s t a n d i n g o f o v e r a l l I T c o s t s a n d t h e i r i n p u t t o R O I c a s e s .
C o m b i n i n g f o c u s e d c o s t – c u t t i n g w i t h a n a b i l i t y t o r e a s o n f o r i n v e s t m e n t .
S t a k e h o l d e r s a l l o w e d t o s e e I T r i s k / r e t u r n s .
I m p r o v e d c o n t r i b u t i o n t o s t a k e h o l d e r r e t u r n s .
1. Board Briefing on IT Governance, 2nd Edition, the IT Governance Institute®.

IT Governance Developing a Successful Governance Strategy
6 7
E n h a n c e m e n t a n d p r o t e c t i o n o f r e p u t a t i o n a n d i m a g e .
Opportunities and Partnerships
P r o v i d e r o u t e t o r e a l i s e o p p o r t u n i t i e s t h a t m i g h t n o t r e c e i v e a t t e n t i o n o r
s p o n s o r s h i p .
P o s i t i o n i n g o f I T a s a b u s i n e s s p a r t n e r ( a n d c l a r i f y i n g w h a t s o r t o f b u s i n e s s p a r t n e r
I T i s ) .
F a c i l i t a t e j o i n t v e n t u r e s w i t h o t h e r c o m p a n i e s .
F a c i l i t a t e m o r e b u s i n e s s l i k e r e l a t i o n s h i p s w i t h k e y I T p a r t n e r s ( v e n d o r s a n d
s u p p l i e r s ) .
A c h i e v e a c o n s i s t e n t a p p r o a c h t o t a k i n g r i s k s .
E n a b l e s I T p a r t i c i p a t i o n i n b u s i n e s s s t r a t e g y ( w h i c h i s t h e n r e f l e c t e d i n I T s t r a t e g y )
a n d v i c e v e r s a .
I m p r o v e r e s p o n s i v e n e s s t o m a r k e t c h a l l e n g e s a n d o p p o r t u n i t i e s .
Performance Improvement
A c h i e v e c l e a r i d e n t i f i c a t i o n o f w h e t h e r a n I T s e r v i c e o r p r o j e c t s u p p o r t s “ b u s i n e s s
a s u s u a l ” o r i s i n t e n d e d t o p r o v i d e f u t u r e a d d e d v a l u e .
I n c r e a s e d t r a n s p a r e n c y w i l l r a i s e t h e b a r f o r p e r f o r m a n c e , a n d a d v e r t i s e t h a t t h e
b a r s h o u l d b e c o n t i n u o u s l y r a i s e d .
A f o c u s o n p e r f o r m a n c e i m p r o v e m e n t w i l l l e a d t o a t t a i n m e n t o f b e s t p r a c t i c e s .
Av o i d u n n e c e s s a r y e x p e n d i t u r e s – e x p e n d i t u r e s a r e d e m o n s t r a b l y m a t c h e d t o
b u s i n e s s g o a l s .
I n c r e a s e a b i l i t y t o b e n c h m a r k .
External Compliance
E n a b l e s a n i n t e g r a t e d a p p r o a c h t o m e e t i n g e x t e r n a l l e g a l a n d r e g u l a t o r y
r e q u i r e m e n t s .
1.4 What is IT Governance best practice?
Experiences gained by IMPACT SIG members have identified a number of practical organisational and process issues that
need to be addressed when implementing IT Governance. This has enabled the Group to recommend the following best
practices (critical success factors) when planning IT Governance initiatives:
An enterprise wide approach should be adopted
T h e b u s i n e s s a n d I T m u s t w o r k t o g e t h e r t o d e f i n e a n d c o n t r o l r e q u i r e m e n t s .
I T w i l l n e e d t o d e v e l o p a c o n t r o l m o d e l a p p l i c a b l e t o a l l b u s i n e s s u n i t s / d i v i s i o n s .
A c o m m i t t e e a p p r o a c h i s r e c o m m e n d e d f o r s e t t i n g , a g r e e i n g , a n d m o n i t o r i n g
d i r e c t i o n / p o l i c y e t c .
A s h a r e d , c o h e s i v e v i e w o f I T G o v e r n a n c e i s n e e d e d a c r o s s t h e e n t e r p r i s e b a s e d o n
a c o m m o n l a n g u a g e .
T h e r e s h o u l d b e a c l e a r u n d e r s t a n d i n g ( a n d a p p r o v a l ) b y s t a k e h o l d e r s o f w h a t i s
w i t h i n t h e s c o p e o f I T G o v e r n a n c e .
Top level commitment backed up by clear accountability is a necessity
I T G o v e r n a n c e n e e d s a m a n d a t e a n d d i r e c t i o n f r o m B o a r d / E x e c u t i v e l e v e l
m a n a g e m e n t i f i t i s t o s u c c e e d i n p r a c t i c e .
M a k e s u r e m a n a g e m e n t r e s p o n s i b i l i t i e s a n d a c c o u n t a b i l i t i e s i n t h e b u s i n e s s a s w e l l
a s I T h a v e b e e n d e f i n e d .
An agreed IT Governance and control framework is required
IT Governance – The Business Case1

IT Governance Developing a Successful Governance Strategy
8 9
A l t h o u g h i t m a y g e n e r a t e c h a l l e n g e s a n d p u s h b a c k , a n d w i l l r e q u i r e a c o n s e n s u s ,
a n a g r e e d f r a m e w o r k f o r d e f i n i n g I T p r o c e s s e s a n d t h e c o n t r o l s r e q u i r e d t o m a n a g e
t h e m m u s t b e d e f i n e d f o r I T G o v e r n a n c e t o f u n c t i o n e f f e c t i v e l y.
T h e p r o c e s s e s f o r I T G o v e r n a n c e n e e d t o b e i n t e g r a t e d w i t h o t h e r e n t e r p r i s e w i d e
g o v e r n a n c e p r a c t i c e s s o t h a t I T G o v e r n a n c e d o e s n o t b e c o m e j u s t a n I T o w n e d
p r o c e s s .
T h e f r a m e w o r k n e e d s t o b e s u p p o r t e d b y a n e f f e c t i v e c o m m u n i c a t i o n a n d a w a r e n e s s
c a m p a i g n s o t h a t o b j e c t i v e s a r e u n d e r s t o o d a n d t h e p r a c t i c e s a r e c o m p l i e d w i t h .
I n c e n t i v e s s h o u l d b e c o n s i d e r e d t o m o t i v a t e a d h e r e n c e t o t h e f r a m e w o r k .
P a y a t t e n t i o n t o d e v o l v e d d e c e n t r a l i s e d I T o r g a n i s a t i o n s t o e n s u r e a g o o d b a l a n c e
b e t w e e n c e n t r a l l y d r i v e n p o l i c y a n d l o c a l l y i m p l e m e n t e d p r a c t i c e s .
Av o i d t o o m u c h b u r e a u c r a c y.
Trust needs to be gained for the IT function (in house and/or external)
F o r I T G o v e r n a n c e t o w o r k t h e s u p p l i e r s o f I T s e r v i c e s a n d k n o w – h o w n e e d t o b e
s e e n a s p r o f e s s i o n a l , e x p e r t a n d a l i g n e d t o c u s t o m e r r e q u i r e m e n t s . Tr u s t h a s t o b e
d e v e l o p e d b y w h a t e v e r m e a n s i n c l u d i n g a w a r e n e s s p r o g r a m m e s , j o i n t w o r k s h o p s ,
a n d t h e I T D i r e c t o r a c t i n g a s a b r i d g e b e t w e e n t h e b u s i n e s s a n d I T.
Measurement systems will ensure objectives are owned and monitored
C r e a t i o n o f a n I T s c o r e c a r d w i l l u n d e r p i n a n d r e i n f o r c e a c h i e v e m e n t o f I T
G o v e r n a n c e o b j e c t i v e s .
C r e a t i o n o f a n i n i t i a l s e t o f m e a s u r e s c a n b e a v e r y g o o d w a y t o r a i s e a w a r e n e s s
a n d i n i t i a t e a n I T G o v e r n a n c e p r o g r a m m e .
T h e m e a s u r e s u s e d m u s t b e i n b u s i n e s s t e r m s a n d b e a p p r o v e d b y s t a k e h o l d e r s .
Focus on costs
I t i s l i k e l y t h a t t h e r e w i l l b e o p p o r t u n i t i e s t o m a k e f i n a n c i a l s a v i n g s a s a
c o n s e q u e n c e o f i m p l e m e n t i n g i m p r o v e d I T G o v e r n a n c e . T h e s e w i l l h e l p t o g a i n
s u p p o r t f o r i m p r o v e m e n t i n i t i a t i v e s .

IT Governance Developing a Successful Governance Strategy
8 9
2 Performance Measurement
2.1 Why is performance measurement important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 What does performance measurement cover? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Who are the stakeholders and what are their requirements? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4 What should we measure? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.5 What’s best practice? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
One of the greatest challenges faced by those trying to manage IT in today’s fast moving economy and complex technical environment is knowing whether the “ship is on course” and being able to predict and anticipate failures before it is too
late. Like driving a car or steering a ship, good instruments are essential. The use of measures to help steer the IT function
has for many years been a challenge that few appear to have successfully addressed, which is why the expression “it’s like
driving a car with a blacked out windscreen and no instruments” is often used. If it is difficult for those literate in technology
and relatively close the IT function, then it is even worse for the end customer who finds technical jargon a smokescreen and
lack of information relevant to his business a major headache.
There is no doubt that a practical and effective way to measure IT performance is an essential part of any IT Governance
programme, just as transparency and reliability of financial results is a Corporate Governance necessity. Performance
management is important because it verifies the achievement of strategic IT objectives and provides for a review of IT
performance and the contribution of IT to the business (i.e. delivery of promised business value). It is also important in
providing a transparent assessment of IT’s capability and an early warning system for risks and pitfalls that might otherwise
have been missed. Performance measurement provides transparency of IT related costs, which increasingly account for a
very significant proportion of most organisations’ operating expenses.
Stakeholders play a key part in IT Governance, since at the heart of the governance responsibilities of setting strategy,
managing risks, allocating resources, delivering value and measuring performance, are the stakeholder values, which drive
the enterprise and IT strategy.
For performance measurement to be successful, it is important to understand who the stakeholders are and what their
specific requirements and drivers are so that the performance measurements will be meaningful to them. An IT Governance
best practice is the approval of measures by stakeholders. A performance measurement system is only effective if it serves
to communicate to all who need to know what is important and then motivates positive action and alignment to common
objectives. The measures are not an end in themselves but a means to take corrective action and to learn from real
experiences. Concise and understandable communication and clear accountabilities are therefore critical success factors if
measures are to be turned into effective actions.
“If you can’t measure it, you can’t manage it”
2.1 Why is performance measurement important?
“Teams that don’t keep score are only practising.”
Tom Malone, President Milliken & Company
Performance measurement is a key component of IT Governance. It verifies the achievement of strategic IT objectives and
provides for a review of IT performance and the contribution of IT to the business (i.e. delivery of promised business value).
Performance measurement supports the other key elements2 of IT Governance by:
A l i g n m e n t – m o n i t o r i n g t h e s t r a t e g i c d i r e c t i o n o f I T a n d t h e a l i g n m e n t o f I T a n d t h e
b u s i n e s s .
Va l u e D e l i v e r y – a s s e s s i n g w h e t h e r t h e I T / B u s i n e s s o r g a n i s a t i o n i s p r o v i d i n g
b u s i n e s s v a l u e f r o m I T a n d a s s e s s i n g R O I .
R i s k M a n a g e m e n t – m o n i t o r i n g w h e t h e r r i s k s a r e b e i n g i d e n t i f i e d a n d m a n a g e d a n d
m e a s u r i n g t h e c o s t a n d b e n e f i t o f r i s k m a n a g e m e n t i n v e s t m e n t s .
Performance Measurement2
2. Board Briefing on IT Governance, 2nd Edition, the IT Governance Institute®.

IT Governance Developing a Successful Governance Strategy
10 11
R e s o u r c e M a n a g e m e n t – m e a s u r i n g t h e e f f e c t i v e n e s s o f s o u r c i n g a n d u s e o f
I T r e s o u r c e s , t h e a g g r e g a t e f u n d i n g o f I T a t e n t e r p r i s e l e v e l , a n d m e a s u r i n g I T
c a p a b i l i t y a n d i n f r a s t r u c t u r e c o m p a r e d t o c u r r e n t a n d e x p e c t e d f u t u r e b u s i n e s s
r e q u i r e m e n t s .
Performance measures are required to ensure that the outcomes of IT activities are aligned to the customer’s goals. Internal IT
process measures are required to ensure that the processes are capable of delivering the intended outcomes cost-effectively.
Advanced performance measurement enables the measurement of key aspects of IT capability such as creativity and agility
(new ideas, speed of delivery and success of a change programme), development of new solutions, ability to operate reliable
and secure services in an increasingly demanding IT technical environment, and the development of human resources and
skills.
Performance measurement may also be a vital tool when assessing mergers and acquisitions to allow earlier insight into
IT strengths and gaps. The introduction of a performance measurement system focused on a few key measures can be an
excellent way to kick-start an IT Governance initiative, providing, perhaps for the first time, transparency of critical activities
and a way to bridge the communication gap between IT and its customers.
2.2 What does performance measurement cover?
Performance measures are the “vital signs” of an organisation. They quantify how well the activities within a process or the
outputs of a process achieve a specific goal. The measures tell people what and how they’re doing as part of the whole.
They communicate what’s important throughout the organisation: strategy from top management down, process results from
the lower levels up, and control and improvement within the process. Only with a consistent view of the “vital signs” can
everyone work toward implementing the strategy, achieving the goals, and improving the organisation (Vital Signs, by Steven
M. Hronec).
An IT performance measurement system should help to:
F o c u s o n t h e c u s t o m e r t o i n c r e a s e c u s t o m e r s a t i s f a c t i o n
I m p r o v e p r o c e s s e s s o p r o b l e m s a r e a n t i c i p a t e d a n d p r e v e n t e d
U n d e r s t a n d a n d r e d u c e c o s t s
E n c o u r a g e a n d f a c i l i t a t e c h a n g e b y o b t a i n i n g f a c t s a b o u t c u r r e n t s t a t e , d e s i r e d
s t a t e a n d t h e g a p t h a t n e e d s t o b e m e t
S e t r e a l i s t i c b e n c h m a r k s f o r c o m p a r i s o n
Effective performance measurement of IT will enable management and other stakeholders to know whether or not IT is
meeting its objectives. It provides a transparent and objective communication mechanism, as long as the measures are
understandable by both the customers and the service providers. The measures should address two aspects (The IT
Governance Institute’s CobiT Management Guidelines provides example metrics for all IT processes and explains the
difference between Goal Indicators (KGIs) and Process Indicators (KPIs)):
O u t c o m e f o c u s e d – i s I T m e e t i n g t h e o b j e c t i v e s s e t b y t h e c u s t o m e r ?
P r o c e s s f o c u s e d – a r e t h e I T p r o c e s s e s o p e r a t i n g e f f e c t i v e l y a n d l i k e l y t o l e a d t o
t h e c u s t o m e r o b j e c t i v e s b e i n g m e t ?
The IT Governance SIG recommends that performance measures meet the following requirements to be successful:
D e f i n e d u s i n g a c o m m o n l a n g u a g e a p p r o p r i a t e a n d u n d e r s t a n d a b l e f o r t h e
a u d i e n c e
A p p r o v e d b y t h e s t a k e h o l d e r s
I n k e e p i n g w i t h t h e c u l t u r e a n d s t y l e o f t h e o r g a n i s a t i o n
B a s e d o n t a r g e t s d e r i v e d f r o m I T ’s o b j e c t i v e s
C o n t a i n a m i x o f o b j e c t i v e a n d s u b j e c t i v e m e a s u r e s
F l e x i b l e a n d r e s p o n s i v e t o c h a n g i n g p r i o r i t i e s a n d r e q u i r e m e n t s
B a s e d o n e a s y t o c o l l e c t a c t u a l m e a s u r e m e n t r e s u l t s
I n c l u d e b o t h p o s i t i v e m e a s u r e s ( t o m o t i v a t e ) a n d n e g a t i v e m e a s u r e s ( t o c o r r e c t )
B a l a n c e d , i . e . m e a s u r i n g m o r e t h a n j u s t f i n a n c i a l r e s u l t s . T h e B a l a n c e S c o r e c a r d i s
r e c o m m e n d e d a s a n e f f e c t i v e a p p r o a c h p r o v i d i n g f i n a n c i a l , c u s t o m e r, i n t e r n a l a n d
l e a r n i n g d i m e n s i o n s ( T h e B a l a n c e d S c o r e c a r d , K a p l a n & N o r t o n )
L i m i t e d i n n u m b e r a n d f o c u s e d o n l y o n p r i o r i t y a r e a s b u t s u f f i c i e n t t o s u p p o r t
d e c i s i o n m a k i n g ( p a s s e s t h e “ s o – w h a t ? ” t e s t )

IT Governance Developing a Successful Governance Strategy
10 11
E a s y t o i n t e r p r e t ( e . g . r e p o r t i n g s h o u l d b e v i s u a l u s i n g R A G o r h e a t m a p t e c h n i q u e s )
a n d p e r m i t d r i l l i n g d o w n f o r m o r e d e t a i l a n d e x a m i n a t i o n o f r o o t c a u s e s . A s c o r e c a r d
i s s o m e t i m e s n o t a p p r o p r i a t e , e . g . f o r p r o j e c t r e v i e w a n d p r i o r i t i s a t i o n o r d e t a i l e d
a n a l y s i s ( w h e r e a g g r e g a t i o n d i s t o r t s o r c o n f u s e s )
S h o w t r e n d s t o e n a b l e b a c k w a r d e x a m i n a t i o n a n d f o r w a r d e x t r a p o l a t i o n
C o n s o l i d a t e d f o r h i e r a r c h i c a l r e p o r t i n g
S u p p o r t b e n c h m a r k i n g i n t e r n a l l y b e t w e e n p e e r g r o u p s a n d e x t e r n a l l y w i t h b e s t
p r a c t i c e
I n t e g r a t e d i f p o s s i b l e w i t h a n y e x i s t i n g b u s i n e s s l e v e l p e r f o r m a n c e m e a s u r e m e n t
s y s t e m
2.3 Who are the stakeholders and what are their requirements?
Stakeholders play a key part in IT Governance. At the heart of the governance responsibilities of setting strategy, managing
risks, allocating resources, delivering value and measuring performance, are the stakeholder values, which drive the enterprise
and IT strategy. For performance measurement to be successful, it is important to understand who the stakeholders are and
what their specific requirements and drivers are so that the performance measurements will be meaningful to them. An IT
Governance best practice is the approval of measures by stakeholders (IT Governance Institute – Board Briefing on IT
Governance).
For the purposes of performance measurement, we have classified stakeholders into three groups: investors, controllers and
deliverers/providers with specific measurement interests and requirements as follows:
Investors – (business management, business partners and IT management)
I n t e r e s t s – t h e y p r o v i d e t h e f u n d i n g a n d w a n t t o s e e a r e t u r n o n t h e i r i n v e s t m e n t
a n d a l i g n m e n t w i t h t h e i r s t r a t e g i c o b j e c t i v e s
Re q u i r e m e n t s
– F i n a n c i a l – R O I , c o s t v. b u d g e t , p r o d u c t i v i t y, b e n e f i t s r e a l i s a t i o n
– C u s t o m e r – s u r v e y s a n d f e e d b a c k ( s u b j e c t i v e a s w e l l a s o b j e c t i v e ) , s t r a t e g i c
o b j e c t i v e s v. a c t u a l p r o j e c t s / a c t i v i t i e s
– P r o c e s s – c a p a b i l i t y b e n c h m a r k , p e r f o r m a n c e e x c e p t i o n s , t r a n s f o r m a t i o n
c a p a b i l i t y a n d t a c t i c a l a g i l i t y
– L e a r n i n g – a t t r i t i o n , r e t e n t i o n , s k i l l p r o f i l e , r e s o u r c e s h o r t f a l l , t r a i n i n g a n d
d e v e l o p m e n t
Controllers – (internal and external audit, risk and compliance officers, finance, human resources, industry specific
regulators)
I n t e r e s t s – t h e y m o n i t o r r i s k a n d c o m p l i a n c e a n d h a v e a n i n t e r e s t i n d u e p r o c e s s ,
r e g u l a t o r y a n d l e g a l r e q u i r e m e n t s , e v i d e n c e o f g o v e r n a n c e a n d r i s k m a n a g e m e n t ,
a m o u n t o f r e w o r k / r e p e a t e f f o r t , a n d c o m p l i a n c e w i t h s t r a t e g y
Re q u i r e m e n t s
– F i n a n c i a l – l o s s e s , i n v e s t m e n t s i n c o n t r o l i m p r o v e m e n t s
– C u s t o m e r – e x c e p t i o n s / b r e a c h e s , r i s k m a n a g e m e n t , c o m p l i a n c e w i t h l e g i s l a t i o n
a n d r e g u l a t i o n s
– P r o c e s s – c o n t r o l e f f e c t i v e n e s s , c o m p l i a n c e
– L e a r n i n g – r i s k i d e n t i f i c a t i o n , r i s k p r e v e n t i o n
Deliverers/Providers – (IT service and product suppliers, in-house and outsourced, contract and procurement management
and staff involved in IT delivery and support)
I n t e r e s t s – t h e y n e e d t o m e e t c u s t o m e r e x p e c t a t i o n s , a n d d e l i v e r i n a n e f f i c i e n t
a n d e f f e c t i v e w a y, p r e s e r v i n g a n d e n h a n c i n g r e p u t a t i o n
Re q u i r e m e n t s
– F i n a n c i a l – o p e r a t i o n a l a n d p r o j e c t c o s t s , c o s t a l l o c a t i o n / r e c o v e r y, s e r v i c e
c r e d i t s , c o s t o p t i m i s a t i o n
– C u s t o m e r – p e r f o r m a n c e a g a i n s t S L A s , s a t i s f a c t i o n f e e d b a c k e . g . s u r v e y
r e s p o n s e s , c u s t o m e r r e t e n t i o n a n d g r o w t h s t a t i s t i c s , e f f e c t i v e n e s s o f d e a l i n g
w i t h b u s i n e s s c h u r n
Performance Measurement2

IT Governance Developing a Successful Governance Strategy
12 13
– P r o c e s s – i n t e r n a l i m p r o v e m e n t i n e f f i c i e n c y a n d r i s k r e d u c t i o n , i n t e r n a l v.
o u t s o u r c e d e c i s i o n s u p p o r t
– L e a r n i n g – c a p a b i l i t y t o d e l i v e r, r e a d i n e s s f o r n e w r e q u i r e m e n t s , t i m e t o m a r k e t
f o r n e w i n i t i a t i v e s
2.4 What should we measure?
The ownership of measures and accountability for achieving targets should be clear. Furthermore, ownership and the
collection of measurement data will not always be an IT responsibility, e.g. measurement of customer-focused outcomes. It
should therefore also be clear whose responsibility collection is. Where appropriate, measures should be formalised in Service
Level Agreements (SLAs) based on service descriptions written in a language and using terms meaningful to the customer.
For third party service providers an SLA should form part of the contractual agreement so that performance measurement can
be backed up with contractual recourse in the event of performance failure. To support IT Governance the following top fifteen
areas to measure are recommended, with an indication of who has a primary interest and therefore who should approve the
measures (figure 2.4)
2.5 What is best practice?
Experiences gained by the IMPACT SIG members have identified a number of enablers and inhibitors that will assist in the
achievement of Performance Measurement best practices when supporting IT Governance. Since the Interest Group is not
primarily focused on performance measurement techniques we are not attempting to provide best practice guidance on
measurement methods and/or tools.
In general, performance measurement should support this classic control model (figure 2.5)
Area Investors Controllers Providers
Business & IT alignment √
Major project delivery performance (objectives, time and budget) √ √
Overall financial performance (costs v. budgets) √ √ √
ROI for IT investments (business benefit) √
Status of critical risks √ √ √
Performance with respect to reliability and availability of critical
services
√ √
Complaints (QOS) and customer perception √
Number of significant reactive fixes to errors √
SLA performance by third parties √ √
Relationships with suppliers (quality & value) √ √
Capability e.g. process maturity √
HR measures for people involved in IT activities √
Internal and external benchmarks √ √
Audit weaknesses √ √
Business continuity status √ √ √
Figure 2.4

IT Governance Developing a Successful Governance Strategy
12 13
Enablers
S u p p o r t a n d o w n e r s h i p o f p e r f o r m a n c e m e a s u r e m e n t b y S t a k e h o l d e r s
M e a s u r e s t h a t a r e a p p r o v e d b y a n d m e a n i n g f u l t o t h e S t a k e h o l d e r s
M e a s u r e s t h a t a l i g n w i t h a g r e e d I T o b j e c t i v e s
M e a s u r e s t h a t f o c u s o n p r o c e s s e s c r i t i c a l t o t h e s u c c e s s o f I T o b j e c t i v e s
M e a s u r e s t h a t a r e e a s y t o c o l l e c t a n d u n d e r s t a n d
Ta r g e t s t h a t a r e c h a l l e n g i n g b u t a l s o a c h i e v a b l e
M e a s u r e s t h a t a r e b a l a n c e d e . g . b a s e d o n t h e B a l a n c e d S c o r e c a r d t e c h n i q u e
M e a s u r e m e n t r e p o r t s a n d s c o r e c a r d s t h a t a r e e a s y t o i n t e r p r e t , w i t h e x p l a n a t i o n s
o f e x c e p t i o n s
W h e r e p o s s i b l e , m e a s u r e s s h o u l d b e a u t o m a t e d
Inhibitors
To o m u c h f o c u s o n t e c h n i c a l m e a s u r e s ( e s p e c i a l l y i f t h e y a r e n o t a l i g n e d t o I T
o b j e c t i v e s )
L a c k o f o w n e r s h i p a n d a c c o u n t a b i l i t y
M e a s u r e s w h i c h a r e n o t s t r a i g h t f o r w a r d t o i n t e r p r e t o r e n c o u r a g e c o u n t e r- p r o d u c t i v e
b e h a v i o u r ( c f . N a t i o n a l H e a l t h Wa i t i n g L i s t t a r g e t s )
M e a s u r e s w h i c h a r e e x p e n s i v e t o c o l l e c t o r n o t f o c u s e d o n p r i o r i t y a r e a s
To o m a n y m e a s u r e s o b s c u r i n g r e l e v a n t a n d i m p o r t a n t i n f o r m a t i o n
Performance Measurement2
Figure 2.5
3
3. Board Briefing on IT Governance, 2nd Edition, the IT Governance Institute®.

IT Governance Developing a Successful Governance Strategy
14 15
3 Implementation Roadmap
3.1 What are the goals and success criteria? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2 How to get started – the key initial activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3 Who needs to be involved and what are their roles and responsibilities? . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
This chapter describes an “Implementation Roadmap” for activating an effective IT Governance programme to deliver the above benefits, and is based on the practical implementation experiences gained by the IMPACT IT Governance SIG
members.
The roadmap begins with establishing clear goals and objectives in order to align effort with the real needs of the enterprise,
to manage expectations, and to ensure continual focus. The roadmap then consists of activities to get started, followed by
the key implementation tasks with suggested roles and responsibilities. IT Governance is an ongoing task and therefore this
roadmap is only the initial phase of what needs to become an iterative sustainable approach.
3.1 What are the goals and success criteria?
Implementing IT Governance for many organisations will mean major changes. It is important therefore to not only have high-
level sponsorship but also the active involvement of key stakeholders. The roadmap is an iterative lifecycle that begins with
an initial phase to define overall goals and to gain the support and commitment of top management which then leads to the
ongoing effective governance of IT activities.
A generic set of initial objectives has been identified by the SIG and is shown in Figure 3.1. Figure 3.1.1 suggests some
success criteria for this initial phase of IT Governance.
Typical objectives of the initial implementation phase “Agreed” √
Define the meaning of governance in your organisation and where/if IT Governance fits
Identify any organisational/environmental/cultural constraints and enablers
Achieve a broad understanding of IT Governance issues and benefits across all stakeholders
Agree, publish and gain acceptance of an initial IT Governance framework, tools and processes
Completion of an initial gap analysis against best practice – to demonstrate where IT Governance is already in place
and to highlight areas of focus for the roadmap
Creation of a Project Initiation Document (PID) and/or Terms of Reference (ToR) that has the support of stakeholders
Creation of a Project Plan with definition and prioritisation of the initial ITG project deliverables
Identification and commitment of the resources required to deliver this initial project
Identification and sign-off of Key Performance Indicators and Critical Success Factors for this project
Documented estimated timescales and resource (£s and FTE) implications as well as expected ROI
Alignment of the ITG Initiative with business objectives/strategy
Figure 3.1

IT Governance Developing a Successful Governance Strategy
14 15
3.2 How to get started – the key initial activities
Having set the goals, and gained support, activation consists of two steps – planning, based on analysis of the current
environment, followed by implementation itself.
Planning
These are recommended implementation planning activities together with some critical success factors:
Activities CSFs
• Identify champions
– Stakeholders (including partners), Input providers, IT strategy committee
(council) members
• Establish IT strategy committee (council)
• Identify IT “hotspots” in the organisation, and where governance could enable
‘hotspot’ resolution:
– Strategy? Delivery? IT Cost? Architecture?
– Where current approaches have not worked or caused serious failures
• Identify skill set and capabilities needed from people involved
• Identify existing good practice (‘pseudo governance’) or successes that could be
built on or shared
• Identify cost/benefit arguments – why do we need to do anything?
• Identify inconsistencies in process/practice
• Identify opportunities for “rest of business” to get involved in IT
• Explore opportunity to adopt industry best practice model, or standards
framework
• Utilise external influences
• Create a measurement approach for an area or activity to expose actual evidence
of problems
• Do some gap analysis against industry best practice
√ Authoritative and articulate
champions
√ Available skills and
capabilities
√ Well prepared business
cases approved by
stakeholders
√ Real opportunities for the
business to see the benefit of
participating
√ Practical and useful
governance approaches
√ Effective and useful
measures
√ Expose the truth /whole
picture, warts and all, about
project success /failure,
showing how governance can
be helpful
Implementation Roadmap3
Success criteria for the initial implementation phase “Done” √
Key stakeholders identified, engaged and actively involved
Key stakeholders contributing towards and able to explain and support the business case for ITG
Stakeholders have an understanding of the expectations of the IT Governance initiative
Some initial ‘quick wins’ have been identified and implemented – to make governance “real”
Acceptance of the published IT Governance framework by those responsible for implementation
An effective communication plan – who to, what, when etc. to overcome any barriers and to motivate change
Current key IT projects mapped against ITG plan, to look for easy fit/implications
Changes are sustainable and institutionalised, i.e. they become Business as Usual practices
Figure 3.1.1

IT Governance Developing a Successful Governance Strategy
16 17
Implementation
These are the recommended activities to start up the implementation roadmap, together with some critical success factors:
Activities CSFs
• Create a sound project structure
– Define scope (what is included/excluded) and deliverables
– Agree success criteria/quality criteria
– Set realistic timeframes
– Allocate suitable resources and roles
– Identify risks and a risk mitigation strategy
• Gain approval from Senior Management (the higher the better within the
Enterprise)
• Find reference site, or external examples to learn from
• Build communication plan to gain buy-in, and break down barriers
– Who/what/how frequent/purpose
• Do a pilot activity (demonstrate the business case) to show how it would work and
demonstrate potential benefits
• Follow a phased introduction, e.g.
– Focus on critical but easier to address areas
– Assess projects first
– Build up operational performance improvement progressively based on
prioritising maximum return for lowest cost
– Consider one business area first, others later
– Aim to establish some successes while learning how to be effective
√ Good project management
(set the governance tone)
√ Expectations set correctly
√ Approved business case
√ Manage IT like you manage
the rest of the business
√ Convincing reference sites
√ Successful pilot
√ Address quick wins first to
demonstrate results and
realise benefits before
attempting any major
changes
3.3 Who needs to be involved and what are their roles and
responsibilities?
All three generic groups of stakeholders, and their interests, should be involved in an IT Governance initiative. A key
characteristic of any successful IT Governance initiative is the establishment of an enterprise-wide approach that clearly sets
out roles and responsibilities, emphasising that everyone has a part to play in enabling successful IT outcomes.
Figure 3.3: This timeline is generic and intended only to be an example – it is based on the SIG’s experience.
Thanks to Legal and General for the concept.

IT Governance Developing a Successful Governance Strategy
16 17
It may also be helpful to include an external, or internal, facilitator to provide an objective and neutral position.
The suggested generic roles and responsibilities of the three main groups are shown in Figure 3.3.1.
Implementation Roadmap3
Investors Providers Controllers
Management board (authority to
make things happen)
• Give direction backed up with adequate
support and sponsorship
• Balance requirements with available
resources, making available additional
resources if required
• Insist on and seek measurable benefit
realisation
• Coordinate overseas/satellite parts of the
enterprise to ensure their interests and
constraints have been considered
• Create organisation and structure
to ensure board involvement in the
governance process – by forming
committees, establishing reporting
processes
• Monitor performance, monitor risks,
correct deviations
Business and IT senior managers,
business partners and project
sponsors
• Implement organisation and necessary
infrastructure
• Take ownership of requirements
• Champion and collaborate in IT
governance activities
• Ensure business strategy and objectives
are set and communicated and aligned
with IT
• Assess business risks and impacts
• Establish reporting processes meaningful
to stakeholders
• Communicate any business concerns in
a balanced and reasoned way
• Provide project champions, creating the
seeds of change
User representatives
• Take responsibility for Quality Assurance
programme (design and output)
• Regularly check actual results against
original (or changed) goals
• Provide service feedback to providers
IT management (internal and
external), with support from
business management
• Take ownership and set direction of IT
Governance activities
• Build and achieve a pilot business case
IT management
• Set IT objectives
• Define IT governance and control
framework
• Identify critical IT processes
• Assess risks, identify concerns
• Assess IT capability, identify gaps
• Initiate a continuous improvement
programme
• Develop business cases for
improvements
• Design and implement solutions
• Commit skilled resources
• Establish performance measurement
system
• Report to senior management
• Respond to QA feedback from customers
Suppliers/business partners
• Integrate any own existing or planned
governance practices with customer’s
• Support and contribute to customer’s
governance approach
• Agree service definitions, incentives,
measures and contracts/agreements
Training and Development
• Ensure adequate education and
communication
HR function
• Incorporate governance principles into
induction and performance measurement
process
Core team
• Define plan and deliverables
• Organise team and roles (architects,
senior responsible officer, facilitator,
project manager, process owners)
• Undertake core tasks
• Report progress to plan
Internal and External Audit
• Scope audits in coordination with
governance strategy
• Provide assurance on the control over IT
• Provide assurance on the control over
the IT performance management system
Risk Management
• Ensure that new risks are timely
identified, provide advice
Compliance officers
• Ensure that IT complies with policy, laws
and regulations
Finance
• Advise on and monitor IT costs and
benefits
• Provide support for management
information reporting
• Incorporate governance requirements
into purchasing/contract process
Figure 3.3.1

IT Governance Developing a Successful Governance Strategy
18 19
4 Communication Strategy & Culture
4.1 Who do we need to influence? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
4.2 What are the key messages? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Communication best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
4.4 Developing an influencing strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
4.5 Change roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
IT Governance and risk management is about improving the management and control of IT activities and enabling top management to exercise proper oversight. To achieve this, better processes, controls, best practices and management
techniques are required. However all of these improvements will only have a chance of succeeding in a sustainable way if the
culture of the organisation is changed to drive and support the desired new management approach.
Effective communications are a key enabler of these changes, just as poor communications can create a legacy of
misunderstanding, lack of trust, and technical mystique and hype in many organisations. As we said earlier, if it is difficult for
those literate in technology and relatively close to the IT function, then it is even worse for the end customer who finds technical
jargon a smokescreen and lack of information relevant to his business a major headache. Communication and cultural
behaviour, based on appropriate influencing strategies are therefore key ingredients of any IT Governance improvement
programme. In order to best influence stakeholders, and communicate the major objectives and benefits of IT Governance
throughout the organisation, the right language must be used. Given the significance of IT both in terms of investment and
potential impact on the business – the risks of IT and of failing to exploit IT for strategic advantage must be stressed in
any communication about IT Governance. Wake-up calls are sometimes required at the highest levels. Stakeholders must
understand and feel responsible for safeguarding against IT risks.
Effective communications will ensure that “everyone is on the same page” – that key issues have been grasped, objectives
have been positively accepted by management and staff, and everyone understands their role. Every organisation will have its
own existing culture and choice of IT Governance approach that it wishes to adopt. The roadmap to follow for cultural change
and effective communication will therefore be unique to each organisation, however there may be common elements.
4.1 Who do we need to influence?
A fundamental element of IT Governance is change. When considering who needs to be influenced for successful IT
Governance, it is important to remember that different messages are needed for different stakeholders. Whatever the topic is
about, the language used must be understandable, relevant to the intended audience, and motivate positive attitudes towards
change.
Identifying and gaining the support of key influencers of success and failure help enable successful communications
strategies. It is also vital to recognise the main stakeholders impacted by the change, identify why we want to influence a
particular stakeholder, and identify any resistance that needs to be overcome. Positive attitudes need to be promoted and
used to influence others.
All three generic groups of stakeholders, and their interests, should be involved in an IT Governance initiative. It is critical
to influence these groups positively so that they understand the objectives and benefits of IT Governance and are able to
communicate consistently to each other and within their groups (Figure 4.1).

IT Governance Developing a Successful Governance Strategy
18 19
4.2 What are the key messages?
In order to best influence stakeholders, and communicate the major objectives and benefits of IT Governance, the right
language must be used. An inability to communicate effectively has been one of the major causes of IT failures, with too much
technical jargon, lack of business understanding and poor appreciation of the other party’s requirements and issues. Ideally,
a common language is required, and a balance has to be found between the business trying to understand IT and IT trying to
understand the business. Communications will improve if the business views the technology provider not as a simple enabler
but as a valued business partner and if IT presents benefits in the language that the business understands. The following are
examples of some of the key messages that need to be communicated, based on three primary IT Governance objectives and
the related benefits that can be realised (Figure 4.2).
Communication Strategy & Culture4
Who needs to be influenced?
Investors Providers Controllers
• The Board
• IT Council/Management Team
• Senior business unit managers e.g. key
customers of IT services
• Business Partners
• External investors/shareholders – as part
of corporate governance
• Project and change managers (IT and
Business)
• Programme managers
• Business managers and users
• Technical delivery and support teams
• Key players e.g. business sponsors,
project champions
• Relationship managers and internal
communications teams
• Suppliers (especially outsourced service
providers)
• Contract and procurement management
• Peripheral players/influencers/policy
owners e.g. HR, Facilities Management,
Legal
• Internal audit and external audit (due
diligence)
• External regulators
• Corporate governance coordinator
• Risk managers
• Compliance – regulatory and internal
• Finance/Project Managers/IT and
business managers – reviewers of
benefits/ROI
• Post investment appraisal/post project
review teams
Key Messages
• Benefits of governance
• Why we need to do it
• Impact on the business strategy
• Commitment to support action plans
• Benefits of governance
• Why we need to change
• Your role and responsibility
• How you need to change
• Need for independent assessment and
assurance
• Relate to real business risks and impacts
• Work positively with management to
address control needs
Figure 4.1
Ability to address these Objectives will realise these Benefits
IT and Business strategic and operational alignment
• IT and business working towards the same corporate goals
• Architecture and other technology approaches seen as relevant
and value adding to the business
RoI/Stakeholder Value, Transparency and Accountability
+ Shareholder Value
+ Leveraging investments for greatest return
+ Better use of IT capabilities
+ Cost effective IT solutions
Effective Relationship Management (internal and
external)
• Mutual understanding of goals
• Shared language and terminology
• Working in partnership – equal investment and responsibility
• Clear accountabilities
Opportunities and Partnerships
+ Increased synergies
+ Improved speed to market
+ Improved efficiencies, particularly with third parties
+ Agility to respond to change
Management Control/Quality Management
• Standardised processes
• Consistent approaches
• Comparison/adoption of external best practices (e.g. ISO, CMMi,
CobiT, ITIL)
• Professional IT services
• Management of risks
Performance Improvement
+ Risk mitigation
+ Continuous efficiency and quality improvements
+ Increased assurance that controls are working
+ Transparency and confidence about measures
Figure 4.2

IT Governance Developing a Successful Governance Strategy
20 21
4.3 Communication best practices
The experiences of the IT Governance SIG have shown that it is best practice to emphasise the importance of controlling IT
related risks when communicating the need for IT Governance. In particular, make sure stakeholders understand and feel
responsible for safeguarding against risks that would not exist if they had put in place effective IT Governance controls:
a) The “downside” business risks associated with the use and function of IT, i.e. financial losses, damage to reputation,
loss of service etc.
b) The “upside” business risks of not exploiting IT effectively, i.e. loss of competitive advantage, inefficiencies, failure to
respond to changing markets etc.
Recommended approaches
If IT risks are not communicated effectively, and instead are surrounded by hype and complexity, then stakeholders will not
appreciate their real impact, take the issues seriously, or be motivated to insist on better controls. The following approaches
are recommended to ensure risks have been properly appreciated:
E m p h a s i s e t h e b u s i n e s s i m p a c t o f r i s k s a s s o c i a t e d w i t h m i s a l i g n e d I T s t r a t e g i e s ,
m i s u s e o f t e c h n o l o g y, b a d l y m a n a g e d o p e r a t i o n s a n d i n e f f e c t i v e p r o j e c t
m a n a g e m e n t . S h o w h o w t h e s e r i s k s c a n b e m i t i g a t e d b y e f f e c t i v e c o n t r o l s .
– U s e c a s e s t u d i e s t h a t h a v e i m p a c t e d t h e b u s i n e s s o r o t h e r b u s i n e s s e s ( e . g .
v i r u s a t t a c k s , c r i t i c a l s e r v i c e o u t a g e s , p r o j e c t s w i t h “ u n e x p e c t e d o u t c o m e s ” )
t o i l l u s t r a t e h o w i s s u e s m i g h t a r i s e .
I d e n t i f y r e l e v a n t e x a m p l e s o f g o v e r n a n c e p r o v i d i n g b u s i n e s s b e n e f i t s b e y o n d t h e
b a s i c r e q u i r e m e n t o f e v i d e n c i n g c o n t r o l .
– U s e c a s e s t u d i e s t o i l l u s t r a t e h o w e f f e c t i v e g o v e r n a n c e h a s i d e n t i f i e d r i s k
t o t h e b u s i n e s s , i t s o b j e c t i v e s a n d s t r a t e g y, a n d b r o k e r e d a n a l t e r n a t i v e
s o l u t i o n .
– U s e c a s e s t u d i e s t o i l l u s t r a t e b u s i n e s s b e n e f i t s a s a d i r e c t r e s u l t o f e f f e c t i v e
g o v e r n a n c e , e . g . r e d u c e d c o s t s , i m p r o v e d q u a l i t y, p r o d u c t i v i t y, r e p u t a t i o n a n d
m a r k e t i n g a d v a n t a g e s .
S c e n a r i o m o d e l l i n g w i t h r i s k a s s e s s m e n t a n d m i t i g a t i o n :
– C o n s i d e r k n o w n a n d n e w r i s k s a c r o s s b o t h b u s i n e s s a n d I T ( e . g . e x t e r n a l a u d i t
r e q u i r e m e n t s )
– H o w g o v e r n a n c e c a n h e l p m i t i g a t e t h e r i s k
– C a l c u l a t e a r i s k f a c t o r = l i k e l i h o o d x i m p a c t
– C o n s i d e r o p t i o n s – a c c e p t , m i t i g a t e o r a s s i g n
U s i n g c o m m o n b u s i n e s s l a n g u a g e :
– Te c h n o l o g i c a l r i s k i n f i n a n c i a l / e c o n o m i c / b u s i n e s s t e r m s
– L e g a l / r e g u l a t o r y, c o n t r a c t u a l i m p l i c a t i o n s
Critical Success Factors
I n v o l v e a l l r e l e v a n t s t a k e h o l d e r s i n a f a c i l i t a t e d w o r k s h o p e n v i r o n m e n t
G e t c l e a r o w n e r s h i p a n d f u n d i n g c o m m i t m e n t f o r r i s k m i t i g a t i n g a c t i o n s
M o n i t o r / t r a c k a l l a c t i o n s
4.4 Developing an influencing strategy
Critical to the success of any IT Governance initiative is an effective communications plan. The communications plan should
be based on a well-defined influencing strategy. Behaviours will need to be changed and care should therefore be taken
to ensure that participants will be motivated and see the benefits of the new approaches, as well as understanding the
consequences of accepting responsibility. If this is not positively communicated, then IT Governance will not be perceived as
part of the corporate mission with Board level support. Management will resist it as a barrier to getting the job done, a deviation
from current priorities, or another management fad.
The strategy should identify opportunities for the active involvement of stakeholders in developing the governance approach,
planning and implementing IT management changes, and ideally building specific change objectives/targets into personal
performance plans. The stakeholders are likely themselves to be the targets of change and should be involved in discussing/
evolving responses to the change via collaborative workshops, focus groups etc.

IT Governance Developing a Successful Governance Strategy
20 21
The influencing strategies need to be designed to work in specific situations with the individual influence targets identified. The
following table shows four typical influencing styles, examples of the communications involved and the associated leadership
styles. It is important to select the most appropriate style taking into account who needs to be influenced and on what topic.
Focus on Roles and Responsibilities
I d e n t i f y a n o v e r a l l s p o n s o r a n d s t e e r i n g g r o u p w i t h s p e c i f i c t a s k s a n d r e s p o n s i b i l i t i e s
f o r l e a d i n g t h e c h a n g e
E n s u r e t h e r e i s a c o m p l e t e s t r u c t u r e o f c a s c a d e d s p o n s o r s h i p d o w n t o t e a m / l i n e
m a n a g e r l e v e l
Focus on individual situations
I d e n t i f y c h a m p i o n s ( t h o s e h i g h o n i n t e r e s t a n d / o r i n f l u e n c e )
U s e s u c c e s s e s a s b e n c h m a r k s
D i s s e m i n a t e a c r o s s t e a m s a n d s u p p o r t f o r m a t i o n o f n e w t e a m s
Figure 4.4.1 shows different change approaches that can be used. For IT Governance initiatives experience shows that
the best approach is incremental change evolving and adapting of current practices to a new collaborative IT management
approach.
Communication Strategy & Culture4
Influencing style examples
Asserting Persuading Bridging Attracting
• Stating expectations of
improved IT Governance
and consequences of not
adopting the new control
model
• Evaluating current capability,
risk management, delivery
quality etc. and exposing
unacceptable performance
• Creating incentives by
setting clear IT Governance
objectives, based on
business priorities, backed
up by the personal reward
scheme
• Proposing new management
approaches, best practices,
standards for IT activities,
based on development
workshops
• Reasoning that changes are
needed, by educating top
management about the key
IT issues and the benefits
IT Governance can provide,
e.g. more ownership in the
business of IT projects
• Involving the business in IT
decision making, by breaking
down technical barriers
and encouraging shared
responsibility for IT outcomes
• Listening to user feedback
about IT services and
encouraging suggestions via
satisfaction surveys
• Disclosing IT problems and
incidents seeking workable
solutions instead of covering
them up
• Finding Common Ground by
developing corporate mission
statements and policies
about IT Governance with
support from the Board
• Visioning by IT and the
business developing shared
strategies and action plans,
backed up by measurable
and accountable objectives
and targets
Push Pull
Figure 4.4
Figure 4.4.1

IT Governance Developing a Successful Governance Strategy
22 23
4.5 Change roadmap
Every organisation will have its own existing culture and choice of IT Governance paradigm that it wishes to adopt. The
roadmap to follow for cultural change and effective communication will therefore be unique to your specific situation.
The following techniques (Exploring Strategic, Change Veronica Hope-Hailey, Julia Balogun, Gerry Johnson, Kevan
Scholes, Cranfield University) can help guide the best path to follow, and can be used to assess how your organisational
culture and management style currently deals with the governance of its IT activities and what cultural style it desires. To
do this you must:
A n a l y s e t h e e x i s t i n g s t a t e
D e f i n e t h e d e s i r e d s t a t e
Cultural style and paradigms are formed from several characterictics which can generally be illustrated as shown in Figure
4.5.
Figure 4.5.1 illustrates some of the typical current and desired IT Governance behaviours found in many organisations
today.
Figure 4.5
Characteristic Current Desired
Myths and Stories Poor business and IT alignment:
Project failures; budget overruns; poor
service, failure to meet business needs.
Effective business and IT alignment:
Demonstrable RoI, project success stories,
user satisfaction, business driving IT.
Symbols Mystique and technical jargon, lack of
business terms.
Common language based on customer
needs. Business literate in IT issues and
opportunities.
Power Structures Them and us attitudes. Collaboration.
Organisational Structures Divisive. IT seen as overhead function. Partnerships. IT seen as business enabler.
Control System Based on departmental units and who knows
the most.
Based on defined processes, standards and
best practices owned by the organisation.
Routines and Rituals Hidden agendas, measures in provider’s
terms and a general lack of transparency
leaving top management in the dark.
Joint forums for monitoring progress,
measures in customer’s terms, transparent
reporting to top management.
Figure 4.5.1

IT Governance Developing a Successful Governance Strategy
22 23
5 Capability Maturity Assessment
5.1 Why IT capability is important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.2 How to measure IT capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.3 Setting maturity targets and considering improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.4 Roadmap for sustaining the approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.5 Self-assessment tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Monitoring and assessing the adequacy of IT Resources (people, applications, technology, facilities, data) to ensure that they are capable of supporting the current and proposed IT strategy is a key aspect of IT Governance. In many
organisations board level management have a very unclear view of their IT capability, and find it very difficult to understand
the technical and organisational IT environment upon which they increasingly depend. Often inadequacies only manifest
themselves when projects fail, costs spiral, operational systems crash, or service providers fail to deliver the value promised.
To exercise sufficient governance and oversight, senior management should insist on objective and regular assessments of
their internal and externally provided IT services to ensure any inadequate capabilities are exposed before serious problems
occur, and then take the necessary action to rectify weaknesses. In recent years, surveys and assessments carried out around
the world have shown that in general IT capabilities have not kept pace with increasing IT complexities and the growing
demands for reliable, secure and flexible services. Cost control and reducing inefficiencies are also important reasons for
reviewing technical and organisational capability.
Improving the maturity of IT capability both reduces risks and increases efficiency – cost saving is
often a justification.
Capability Maturity Modelling (CMM) techniques (CMM was created by the Software Engineering Institute with Carnegie
Mellon) are increasingly being adopted by many organisations for assessing IT capability. This technique focuses on the
IT management processes that control IT resources, and assessments usually reveal significant weaknesses and an IT
capability disproportionate to the high dependency organisations have on their IT service providers. Using the CMM scale it is
rare to find even a defined (level 3) process in many organisations.
Management should insist on objective and transparent assessments, and carry out these analyses as part of any due
diligence review, or request third party certifications when considering outsourcing or during mergers and acquisitions.
Agreement then must be reached regarding where and how to address inadequacies, by either investing in the internal
infrastructure or seeking externally provided outsourced resources, or accepting the risks.
5.1 Why IT capability is important
A key to successful IT performance is the optimal investment, use and allocation of IT resources (people, applications,
technology, facilities, data) in servicing the needs of the enterprise. Most enterprises fail to maximise the efficiency of their IT
assets and optimise the costs relating to these assets. In addition, the biggest challenge in recent years has been to know
where and how to outsource and then to know how to manage the outsourced services in a way that delivers the values
promised at an acceptable price.
Boards need to address appropriate investments in infrastructure and capabilities by ensuring that:
T h e r e s p o n s i b i l i t i e s w i t h r e s p e c t t o I T s y s t e m a n d s e r v i c e s p r o c u r e m e n t a r e
u n d e r s t o o d a n d a p p l i e d .
A p p r o p r i a t e m e t h o d s a n d a d e q u a t e s k i l l s e x i s t t o m a n a g e a n d s u p p o r t I T p r o j e c t s
a n d s y s t e m s .
I m p r o v e d w o r k f o r c e p l a n n i n g a n d i n v e s t m e n t t o e n s u r e r e c r u i t m e n t a n d m o r e
i m p o r t a n t l y, r e t e n t i o n , o f s k i l l e d I T s t a f f .
I T e d u c a t i o n , t r a i n i n g a n d d e v e l o p m e n t n e e d s a r e f u l l y i d e n t i f i e d a n d a d d r e s s e d f o r
a l l s t a f f .
A p p r o p r i a t e f a c i l i t i e s a r e p r o v i d e d a n d t i m e i s a v a i l a b l e f o r s t a f f t o d e v e l o p t h e
s k i l l s t h e y n e e d .
Capability Maturity Assessment5

IT Governance Developing a Successful Governance Strategy
24 25
Boards needs to ensure that IT resources are used and managed wisely by ensuring that:
A p p r o p r i a t e m e t h o d s a n d a d e q u a t e s k i l l s e x i s t i n t h e o r g a n i s a t i o n t o m a n a g e I T
p r o j e c t s .
T h e b e n e f i t s a c c r u i n g f r o m a n y s e r v i c e p r o c u r e m e n t a r e r e a l a n d a c h i e v a b l e .
IT assets are complex to manage and continually change due to the nature of technology, and changing business
requirements. Effective management of the lifecycle of hardware, software licences, service contracts, and permanent and
contracted human resources is a critical success factor in not only optimising the IT cost base, but also for managing changes,
minimising service incidents, and assuring a reliable quality of service.
Of all the IT assets, human resources represent the biggest part of the cost base and on a unit basis the one most likely
to increase. Identifying and anticipating the required core competencies in the workforce is essential. When these are
understood, an effective recruitment, retention and training programme is necessary to ensure that the organisation has the
skills to utilise IT effectively to achieve the stated objectives.”8
5.2 How to measure IT capability
To ensure IT resources are managed effectively, IT capability should be assessed on a regular basis and whenever
resources are critical to strategic IT decisions. The capability assessment should be:
B a s e d o n a l i g n m e n t o f I T g o a l s w i t h b u s i n e s s g o a l s
Ta r g e t e d a t t h e I T p r o c e s s e s c r i t i c a l t o b u s i n e s s s u c c e s s b y,
– A s s e s s i n g t h e c u r r e n t c a p a b i l i t y o f t h e s e I T p r o c e s s e s
– D e t e r m i n i n g t h e r e q u i r e d c a p a b i l i t y
– A n a l y s i n g a n y g a p s i n c a p a b i l i t y
– P r o v i d i n g t r a n s p a r e n t v i s i b i l i t y o f t h e c a p a b i l i t y p o s i t i o n
– D e f i n i n g a n d j u s t i f y i n g n e c e s s a r y i m p r o v e m e n t p r o j e c t s o r
– R e – a d j u s t i n g t h e I T s t r a t e g y
A d j u s t i n g g o a l s
I m p r o v i n g c a p a b i l i t y
O u t s o u r c i n g w h e n c o s t – e f f e c t i v e
The measurement of IT capability should be an objective assessment oriented towards business requirements. This will
ensure that the current “as-is” and required “to-be” capabilities are realistic and measurable enabling any gaps to be identified
and a plan to be drawn up to rectify any shortcomings.
The Capability Maturity Model (CMM) approach first developed by the Software Engineering Institute for measuring software
delivery capability is increasingly being adopted as the basis for assessing overall IT capability. This model provides a
standard scale for assessing the maturity of any IT process on a five-point scale (figure 5.2).
The following principles are recommended when carrying out an assessment:
S e t S c o p e
S e l e c t a r e f e r e n c e m o d e l b a s e d o n s t a n d a r d s a n d b e s t p r a c t i c e s m o s t s u i t a b l e
f o r y o u r b u s i n e s s , e . g . C o b i T, I T I L , S E I – C C M , S i x S i g m a , I S O 9 0 0 0 / 9 0 0 1 , P M B O K
– p e r h a p s c o n s i d e r i n g w e i g h t i n g m e a s u r e s
U s e a n a c c e p t a b l e m e a s u r e m e n t m e t h o d o l o g y a g r e e d w i t h t h e s t a k e h o l d e r s w h i c h
i s d e f i n e d a n d t r a n s p a r e n t
S e t a b a s e l i n e i n t h e c o n t e x t o f 1 a n d 2 a b o v e a n d p r e s e n t t h e c u r r e n t s t a t e
a s s e s s m e n t u s i n g a s c a l e o r r a t i n g s y s t e m
S e t r e a s o n a b l e o b j e c t i v e s f o r t h e t a r g e t e d l e v e l o f c a p a b i l i t y
D e f i n e m e a s u r e s w h i c h r e l a t e b o t h t o “ t h e j o u r n e y ” a s w e l l a s t h e “ e n d g o a l ” ( e . g .
t h e K P I s a n d K G I s r e c o m m e n d e d b y C o b i T )
E n s u r e s i m p l i c i t y a n d f l e x i b i l i t y
L i m i t t h e n u m b e r o f m e a s u r e s , m i n i m i s e m e a s u r e m e n t o v e r h e a d , a n d a v o i d
i n f o r m a t i o n o v e r l o a d
Consider the following critical success factors:
A p p r o p r i a t e l e v e l o f o w n e r s h i p
Av o i d c o m p l e x i t y a n d b e f l e x i b l e

IT Governance Developing a Successful Governance Strategy
24 25
E m b e d m e a s u r e s i n t o b u s i n e s s a s u s u a l p r o c e s s e s
E n s u r e s t a f f h a v e a d e q u a t e s k i l l s , t r a i n i n g a n d t o o l s
C r e a t e a r e p e a t a b l e p r o c e s s a n d a g r e e f r e q u e n c y o f r e p o r t i n g
W h e r e p o s s i b l e a u t o m a t e m e a s u r e m e n t a n d r e p o r t i n g
A s s e s s a c h i e v e m e n t a g a i n s t t a r g e t s a l o n g s i d e o t h e r b u s i n e s s a s u s u a l t a r g e t s
5.3 Setting maturity targets and considering improvements
The real value of a capability assessment comes from the identification and implementation of cost effective improvements.
A realistic and practical approach is required to ensure that the proposed improvements are based on business priorities, will
be supported and funded by management, and will be successfully implemented.
The following approach is recommended:
1 . U n d e r s t a n d t h e e n v i r o n m e n t
2 . E s t a b l i s h c a p a b i l i t y i m p r o v e m e n t f r a m e w o r k
3 . S e t r e a l i s t i c t a r g e t s a n d r e s p o n d t o e n v i r o n m e n t c h a n g e s
4 . I d e n t i f y g a p s – p r i o r i t i s e i m p r o v e m e n t s
5 . P r o p o s e a c h i e v a b l e s o l u t i o n s
5.4 Roadmap for sustaining the approach
Having initiated a capability assessment approach, and perhaps performed a pilot project, a capability assessment process
needs to be implemented as part of normal business procedures.
The following practices are recommended to help ensure the process is sustainable
A r t i c u l a t e c u r r e n t c a p a b i l i t i e s i n r e l a t i o n t o a n a d o p t e d f r a m e w o r k
S e t c u r r e n t l e v e l s o f c a p a b i l i t y i n t h e c o n t e x t o f e x t e r n a l c o m p a r i s o n s
Capability Maturity Assessment5
Figure 5.2

IT Governance Developing a Successful Governance Strategy
26 27
S t a t e t h e e f f e c t o n t h e b u s i n e s s o f t h e c u r r e n t I T c a p a b i l i t y s t a t e o f a f f a i r s . D e s c r i b e
t h e r a m i f i c a t i o n s o f N O T i m p r o v i n g c a p a b i l i t y e . g . a d d i t i o n a l c o s t s o r r i s k s ,
i n a b i l i t y t o r e a l i s e o p p o r t u n i t i e s , l a t e o r n o n – d e l i v e r y o f t h e s t r a t e g i c d e v e l o p m e n t
p r o g r a m m e , r e d u n d a n t e f f o r t
D e s c r i b e t h e b e n e f i t s o f i m p l e m e n t i n g i m p r o v e m e n t s i n s p e c i f i c a r e a s
D e s c r i b e t h e p r o j e c t e d e f f e c t o n t h e b u s i n e s s a f t e r d e l i v e r y o f e n h a n c e m e n t s
Initiating and sustaining capability enhancements
A g r e e s t e e r i n g a n d r e v i e w m e c h a n i s m , s p o n s o r s h i p e t c .
A g r e e o n p r i o r i t i s e d p r o g r a m m e o f i m p r o v e m e n t s
L o o k f o r c o n t i n u o u s i m p r o v e m e n t o p p o r t u n i t i e s w h e r e i m p r o v e m e n t i s r e l e v a n t o r
n e c e s s a r y
F o l l o w t h e 8 0 : 2 0 r u l e , i . e . d o n ’ t i m p l e m e n t m o r e t h a n i s n e c e s s a r y
E m b e d a l l i m p r o v e m e n t s a s “ b u s i n e s s a s u s u a l ” , n o t a o n e – o f f i n i t i a t i v e
A l l i m p r o v e m e n t s s h o u l d b e a c h i e v a b l e , s u s t a i n a b l e , r e l e v a n t
M o t i v a t e e v e r y o n e i n v o l v e d b y p u b l i s h i n g a n d c e l e b r a t i n g s u c c e s s e s
A g r e e k e y m e a s u r e s a r o u n d i m p l e m e n t a t i o n o f i m p r o v e m e n t s a n d m e a s u r e s o f
r e s u l t a n t b u s i n e s s b e n e f i t – m a k e p a r t o f a w i d e r I T b a l a n c e d s c o r e c a r d
A g r e e c o m m u n i c a t i o n t o t a r g e t s , s t a k e h o l d e r s a n d s p o n s o r s a s w e l l a s t h e w i d e r
c o m m u n i t y w h e r e t h e r e i s l i k e l y t o b e a g e n e r a l i n t e r e s t i n o u t c o m e s
P e r i o d i c a l l y r e v i e w t h e o b j e c t i v e s a n d r e s e t g o a l s i f n e c e s s a r y, c h e c k i n g v a l i d i t y o f
g o a l s a g a i n s t b u s i n e s s s t r a t e g y
5.5 Self-assessment tool
The simple self-assessment diagnostic in figure 5.5 can be used to help show overall capability at a high level. It is based
on the four domains of CobiT, broken down into the 34 CobiT sub-processes. The extent of the analysis depends on how
precise you wish to be. A management workshop can be used to arrive at an approximate initial assessment without extensive
analysis.

IT Governance Developing a Successful Governance Strategy
26 27
Capability Maturity Assessment5
IT Process/Maturity Im
p
o
rt
a
n
c
e
A
d
h
o
c
R
e
p
e
a
ta
b
le
D
e
fi
n
e
d
M
a
n
a
g
e
d
O
p
ti
m
is
e
d
Planning & Organisation
PO1 Define a Strategic Information Technology Plan H
PO2 Define the Information Architecture M
PO3 Determine the Technology Direction M
PO4 Define the IT Organisation and Relationships M
PO5 Manage the Investment in Information Technology M
PO6 Communicate Management Aims and Direction L
PO7 Manage Human Resources L
PO8 Ensure Compliance with External Requirements M
PO9 Assess Risks M
PO10 Manage Projects L
PO11 Manage Quality L
Acquisition & Implementation
AI1 Identify Solutions L
AI2 Acquire and Maintain Application Software M
AI3 Acquire and Maintain Technology Architecture M
AI4 Develop and Maintain Information Technology Procedures M
AI5 Install and Accredit Systems L
AI6 Manage Changes M
Delivery & Support
DS1 Define Service Levels M
DS2 Manage Third-Party Services H
DS3 Manage Performance and Capacity M
DS4 Ensure Continuous Service L
DS5 Ensure Systems Security M
DS6 Identify and Allocate Costs L
DS7 Educate and Train Users L
DS8 Assist and Advise Information Technology Customers L
DS9 Manage the Configuration M
DS10 Manage Problems and Incidents H
DS11 Manage Data H
DS12 Manage Facilities L
DS13 Manage Operations M
Monitoring
M1 Monitor the Process M
M2 Assess Internal Control Adequacy M
M3 Obtain Independent Assurance M
M4 Provide for Independent Audit M
Figure 5.5

IT Governance Developing a Successful Governance Strategy
28 29
6 Risk Management
6.1 What are the risks? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6.2 What is the best approach for risk analysis and management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.3 How can standards and best practices be used – is certification useful? . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.4 What are the roles of management, staff and auditors? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
6.5 Who needs to be competent? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
6.6 What competence is required? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
6.7 How to obtain, develop, retain and verify competence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6.8 When to source competence from outside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.9 Key learning points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
The management of risks is a cornerstone of IT Governance, ensuring that the strategic objectives of the business are not jeopardised by IT failures. IT related risks are increasingly a Board level issue as the impact on the business of
an IT failure, be it an operational crash, security breach or a failed project, can have devastating consequences. However,
managing IT risks and exercising proper governance is a challenging experience for business managers faced with technical
complexity, a dependence on an increasing number of service providers, and limited reliable risk monitoring information. As a
consequence, management are often concerned whether risks are being cost effectively addressed, and they need assurance
that risks are under control.
The universal need to demonstrate good enterprise governance to shareholders and customers is the driver for increased risk
management activities in large organisations. Enterprise risk comes in many varieties, not only financial risk. Regulators are
specifically concerned about operational and systemic risk, within which technology risk and information security issues are
prominent. The Bank for International Settlements, for example, supports that view because all major past risk issues studied
in the financial industry were caused by breakdowns in internal control, oversight and IT. Infrastructure protection initiatives in
the US and the UK point to the utter dependence of all enterprises on IT infrastructures and the vulnerability to new technology
risks. The first recommendation these initiatives make is for risk awareness of senior corporate officers.
Therefore, the board should manage enterprise risk by4:
A s c e r t a i n i n g t h a t t h e r e i s t r a n s p a r e n c y a b o u t t h e s i g n i f i c a n t r i s k s t o t h e e n t e r p r i s e
a n d c l a r i f y i n g t h e r i s k – t a k i n g o r r i s k – a v o i d a n c e p o l i c i e s o f t h e e n t e r p r i s e .
B e i n g a w a r e t h a t t h e f i n a l r e s p o n s i b i l i t y f o r r i s k m a n a g e m e n t r e s t s w i t h t h e b o a r d
s o , w h e n d e l e g a t i n g t o e x e c u t i v e m a n a g e m e n t , m a k i n g s u r e t h e c o n s t r a i n t s o f t h a t
d e l e g a t i o n a r e c o m m u n i c a t e d a n d c l e a r l y u n d e r s t o o d .
B e i n g c o n s c i o u s t h a t t h e s y s t e m o f i n t e r n a l c o n t r o l p u t i n p l a c e t o m a n a g e r i s k s
o f t e n h a s t h e c a p a c i t y t o g e n e r a t e c o s t – e f f i c i e n c y.
C o n s i d e r i n g t h a t a t r a n s p a r e n t a n d p r o a c t i v e r i s k m a n a g e m e n t a p p r o a c h c a n c r e a t e
c o m p e t i t i v e a d v a n t a g e t h a t c a n b e e x p l o i t e d .
I n s i s t i n g t h a t r i s k m a n a g e m e n t i s e m b e d d e d i n t h e o p e r a t i o n o f t h e e n t e r p r i s e ,
r e s p o n d s q u i c k l y t o c h a n g i n g r i s k s a n d r e p o r t s i m m e d i a t e l y t o a p p r o p r i a t e l e v e l s o f
m a n a g e m e n t , s u p p o r t e d b y a g r e e d p r i n c i p l e s o f e s c a l a t i o n ( w h a t t o r e p o r t , w h e n ,
w h e r e a n d h o w ) .
We must be conscious though that risk taking is an essential element of business today. Success will come to those
organisations that identify and manage risks most effectively. Risk is as much about failing to grasp an opportunity as it is
about doing something badly or incorrectly.
6.1 What are the risks?
To enable effective Governance, IT risks should always be expressed in the business context rather than in the technical
language favoured by IT risk experts. The following generic structure for expressing IT risks in any organisation is
suggested:
Business specific risk (e.g. Operational risk of orders not being received)
4. Board Briefing on IT Governance, 2nd Edition, the IT Governance Institute®.

IT Governance Developing a Successful Governance Strategy
28 29
Generic common IT risk (e.g. IT availability risk)
Specific IT risk (e.g. Denial of service attack on Internet customer order system)
Business risks are affected by the business environment (management style, culture, risk appetite, industry sector factors
such as competition, reputation etc., national and international regulations). IT risks can be similarly affected.
There is no single accepted set of generic IT risk definitions, but these headings can be used as a guide (Taken from a
global study by the Economist Intelligence Unit in 2002):
I n v e s t m e n t o r e x p e n s e r i s k
A c c e s s o r s e c u r i t y r i s k
I n t e g r i t y r i s k
R e l e v a n c e r i s k
Av a i l a b i l i t y r i s k
I n f r a s t r u c t u r e r i s k
P r o j e c t o w n e r s h i p r i s k
The OGC’s M_o_R framework visualises four levels of risks in a pyramid with appropriate escalation to higher levels for
significant risks (Figure 6.1).
For IT to be effectively governed, top management must be able to recognise IT risks and ensure that significant risks are
managed. Significance of an IT risk is based on the combination of impact (what effect the risk would have on the organisation
if it occurred) and likelihood (the probability of the risk occurring). Because of the complexity and fast changing nature of IT,
education and awareness is essential to ensure risks are recognised – not just at the top management level but at all levels
throughout the organisation. It is increasingly common for a dedicated risk management function to be established or for
external advice to be obtained on a regular basis to ensure that risks are monitored and the rest of the organisation is kept
informed. Maintenance of a risk catalogue or risk register can be helpful to ensure that a thorough review of all IT related risks
takes place on a periodic basis and for providing assurance to management that risks are being addressed.
6.2 What is the best approach for risk analysis and management?
Risk management consists of two main elements:
R i s k A n a l y s i s
R i s k M a n a g e m e n t
Having defined risk appetite and identified risk exposure, strategies for managing risk can be set and responsibilities
clarified. Dependent on the type of risk and its significance to the business, management and the board may choose to:
Risk Management6
Figure 6.1

IT Governance Developing a Successful Governance Strategy
30 31
M i t i g a t e , b y i m p l e m e n t i n g c o n t r o l s
Tr a n s f e r, b y s h a r i n g r i s k
A c c e p t , b y f o r m a l l y a c k n o w l e d g i n g t h a t t h e r i s k e x i s t s a n d m o n i t o r i n g i t
The following framework for managing risk in Figure 6.2 is suggested by the OGC (OGC Risk Management Framework
www.ogc.gov.uk).
The analysis of IT risks can be very time-consuming and there is a danger of “analysis paralysis”. To ensure effective
and timely identification of risk, management workshops involving knowledgeable and interested representatives from the
business, IT, audit and, if necessary external advisors, can help to rapidly pinpoint key risks requiring attention, as well as
prioritising risk management actions. It is also important to identify the benefits of managing a risk as they can help to justify
the business case for taking action. Benefits can include financial savings such as reduced losses and improved efficiencies
as well as intangibles such as improved reputation and image.
Risk management checklists are useful for raising awareness and reminding everyone of typical risk related issues. Regular
self-assessments, internal audits and external audits/assessments are also helpful to ensure objectivity, and a thorough
approach. For technical areas such as Internet security, the advice of an expert is likely to be required to ensure any technical
vulnerabilities have been identified.
6.3 Using standards and best practices – is certification useful?
There is no doubt that effective management policies and procedures help to ensure that risks are identified and managed as
a routine part of everyday activities. Adoption of standards and best practices will help to enable quick implementation of good
procedures and avoid lengthy delays re-inventing wheels and agreeing approaches.
The best practices adopted have, however, to be consistent with the risk management framework and be appropriate for the
organisation, and be integrated with other methods and practices that are being used. Standards and best practices are not a
panacea and their effectiveness will depend on how they have been actually implemented and kept up to date. They are most
useful when applied as a set of principles and as a starting point for tailoring specific procedures. To avoid practices becoming
“shelf-ware”, change enablement is required, so that management and staff understand what to do, how to do it, and why it is
important. For risk management to be effective, the use of a common language and a standardised approach oriented towards
real business requirements is best – making sure everyone follows the same set of objectives, issues and priorities.
Benchmarking is another very useful way to compare how risk management is being addressed within the organisation in
relation to best practice, industry peer groups and other organisations. Conformance to generally accepted standards and
practices can be very helpful when managing risks relating to outsourced services and third party suppliers. Certification
Figure 6.2

IT Governance Developing a Successful Governance Strategy
30 31
against a standard may be important for helping to establish trust with trading partners, or for raising significance within
the organisation. However, there is a danger that acquiring a certificate becomes more important as a marketing tool, than
operating effective management itself. Certification may also only mean conformance with a baseline and may in itself not
be sufficient to address all the risks in the organisation. In the IT environment there is no specific standard relating to risk
management, but there are standards and best practices covering specific areas. Of these CobiT, ISO17799, ITIL, ISO9000,
PMBOK and Prince2 are the most widely used.
6.4 What are the roles of management, staff and auditors?
The ownership of IT risks, and giving direction for managing key risks is a fundamental aspect of IT Governance. An absence
of top management responsibility and accountability for risk management can result in serious risks being ignored, potentially
misguided actions, and even costly investments being wasted. Ultimately it is the business – the user of IT services – who must
own business related risks including those related to the use of IT. They should set the mandate for risk management, provide
the resources and funding to support any necessary risk management plan designed to protect their business interests, and
monitor whether risks are being managed. In practice, due to the complex and technical nature of IT, the IT service provider will
need to provide guidance and work with business management to ensure adequate safeguards are in place. IT management
will then have a responsibility to endorse, establish and monitor the agreed risk management framework including key
principles and mitigation strategies. IT and user staff have a responsibility to implement the framework, assessing, escalating
and delivering mitigating actions.
Auditors can provide initial momentum by highlighting to senior management inadequate risk management practices or
specific risks that are not being adequately addressed. Audit should also align audits with key business risks and known areas
of weakness, and provide independent assurance to management, make sure that appropriate risk management plans are in
place and are being followed in all key areas or provide improvement recommendations.
The OGC make the following suggestions regarding risk ownership:
A l l o c a t e r e s p o n s i b i l i t y a t a s e n i o r l e v e l f o r m a n a g i n g k e y r i s k s
E n s u r e t h a t e v e r y r i s k h a s a n o w n e r ; t h e r e m a y b e s e p a r a t e o w n e r s f o r t h e a c t i o n s
t o m i t i g a t e t h e r i s k s
E n s u r e a n y o n e a l l o c a t e d o w n e r s h i p h a s t h e a u t h o r i t y t o t a k e o n t h e r e s p o n s i b i l i t y
a n d t h a t t h e y a r e a w a r e t h a t t h e y a r e t h e d e s i g n a t e d o w n e r
A d o p t a m e c h a n i s m f o r r e p o r t i n g i s s u e s – u l t i m a t e l y t o t h e i n d i v i d u a l w h o h a s t o
r e t a i n o v e r a l l r e s p o n s i b i l i t y
6.5 Who needs to be competent?
A key characteristic of any successful IT Governance initiative is the establishment of an enterprise-wide approach that clearly
sets out roles and responsibilities, emphasising that everyone has a part to play in enabling successful IT outcomes.
Implementation of effective IT Governance therefore depends on everyone having adequate and appropriate skills to fulfil their
specific role. In most organisations, Investors and Controllers will have a good understanding of governance principles but
they usually have a very poor understanding of how to apply these principles in the world of IT. Providers, who are usually IT
specialists, conversely understand IT but have a poor appreciation of governance and control principles.
Most IT Governance initiatives begin with the establishment of an IT Governance project team and the appointment of an IT
Governance project manager. The team is likely to be made up of people with some existing skills and relevant experiences,
sometimes supported by external advisors, but usually even these teams will require training to improve their competence in
IT Governance concepts and implementation approaches.
Over time the project team will become the specialists, guiding and mentoring all role players. For IT Governance to be
successful and sustainable, skills must be transferred from the specialists to the rest of the organisation.
Risk Management6

IT Governance Developing a Successful Governance Strategy
32 33
6.6 What competence is required?
Each group of role players will require different sets of skills to support IT Governance effectively (Figures 6.6-6.6.2).
Investors Role & Responsibilities Competence Required
Management board (authority to make things happen)
• Give direction backed up with adequate support and sponsorship
• Balance requirements with available resources, making available
additional resources if required
• Insist on and seek measurable benefit realisation
• Coordinate overseas/satellite parts of the enterprise to ensure
their interests and constraints have been considered
• Create organisation and structure to ensure board involvement
in the governance process – by forming committees, establishing
reporting processes
• Monitor performance, monitor risks, correct deviations
Business and IT senior managers, business partners and
project sponsors:
• Implement organisation and necessary infrastructure
• Take ownership of requirements
• Champion and collaborate in IT governance activities
• Ensure business strategy and objectives are set and communicated
and aligned with IT
• Assess business risks and impacts
• Establish reporting processes meaningful to stakeholders
• Communicate any business concerns in a balanced and reasoned
way
• Provide project champions, creating the seeds of change
User representatives
• Take responsibility for Quality Assurance programme (design and
output)
• Regularly check actual results against original (or changed) goals
• Provide service feedback to providers
General executive leadership skills:
– Ability to understand the big picture and how IT plays a part
– Ability to think strategically – how can IT make a positive difference
to enterprise strategy?
– Ability to make strong decisions relating to IT, and be able to direct
and challenge IT approaches
Ability to challenge:
– Uncover IT related issues
– Probe business cases
– Assess concerns
– Assess performance
IT awareness and understanding:
– Ability to demonstrate value of IT to the business, including return
on investment
– Ability to understand how the business can use IT profitably
– Ability to appreciate the impact of IT on the business, from a value
perspective but also from a risk perspective
– Be able to link the IT and business strategy, and show how IT
supports and enables the overall strategic approach
Ability to challenge:
– Uncover IT related issues
– Assess accuracy of requirements
– Assess and prioritise concerns
– Assess performance
– Assess impacts of risks and poor performance
Ability to articulate requirements and monitor delivery:
– Understand how to express IT related requirements, test
deliverables and provide constructive feedback
Figure 6.6
Providers Role & Responsibilities Competence Required
IT management (internal and external), with support
from business management
• Take ownership and set direction of IT Governance activities
• Build and achieve a pilot business case
IT management
• Set IT objectives
• Define IT governance and control framework
• Identify critical IT processes
• Assess risks, identify concerns
• Assess IT capability, identify gaps
• Initiate a continuous improvement programme
• Develop business cases for improvements
• Design and implement solutions
• Commit skilled resources
• Establish performance measurement system
• Report to senior management
• Respond to QA feedback from customers
Ability to manage overall IT activities:
– Ability to communicate well in business language
– Influencing skills – particularly, able to influence the Investors
– Knowledge of the IT organisation and the wider business
organisation
– Awareness of overall business and IT strategy
– Ability to take a high level view and understand the rationales
– Aggregate assessment – be able to appreciate the whole IT
picture, identify and prioritise key issues and actions
– Ability to justify improvement actions
– Understand the principles of regulation
Supplier management skills:
– Contract and commercial management
– Risk management
– Stakeholder management – who should be involved and why
– Portfolio management
– Budget management

IT Governance Developing a Successful Governance Strategy
32 33
6.7 How to obtain, develop, retain and verify competence
Recruitment
When considering who to place in IT Governance lead positions, especially when creating an initial project team, staff in a
number of existing positions may be excellent candidates. The IMPACT IT Governance SIG members have found that the
following roles often provide people who would be effective in IT Governance roles.
A u d i t o r s
P r o j e c t M a n a g e r s
R i s k M a n a g e r s
B u s i n e s s A n a l y s t s
I n f r a s t r u c t u r e M a n a g e m e n t
P r o c u r e m e n t / C o n t r a c t M a n a g e m e n t
I S S t r a t e g y – a l i g n m e n t w i t h t h e b u s i n e s s
Q u a l i t y M a n a g e m e n t
B u s i n e s s R e l a t i o n s h i p M a n a g e m e n t
P r o g r a m m e M a n a g e r s
However, there is a need for breadth of business and IT knowledge rather than too narrow a specialisation.
Risk Management6
Suppliers/business partners
• Integrate any own existing or planned governance practices with
customer
• Support and contribute to customer’s governance approach
• Agree service definitions, incentives, measures and contracts/
agreements
Training and Development
• Ensure adequate education and communication
HR function
• Incorporate governance principles into induction and performance
measurement process
Core team
• Define plan and deliverables
• Organise team and roles (architects, senior responsible officer,
facilitator, project manager, process owners)
• Undertake core tasks
• Report progress to plan
People related IT Governance skills:
– Understanding of roles
– Understanding of competencies required
– Understanding of sources of expertise
Delivery management skills:
– Familiarity with best practices
– Understanding of IT processes, how they should be controlled,
and how to monitor performance
– Knowledge of corporate standards and policies affecting IT
– Ability to provide cost estimates
– Engagement and project management
Figure 6.6.1
Controllers Role & Responsibilities Competence Required
Internal and external audit
• Scope audits in coordination with governance strategy
• Provide assurance on the control over IT
• Provide assurance on the control over the IT performance
management system
Risk management
• Ensure that new risks are identified in a timely manner, provide
advice
Compliance officers
• Ensure that IT complies with policy, laws and regulations
Finance
• Advise on and monitor IT costs and benefits
• Provide support for management information reporting
• Incorporate governance requirements into purchasing/contract
process
How to apply good Governance practices effectively in
IT:
– Understand the business environment and its impact on IT
– Awareness of the business impact, the need for and justification of
IT control
– Ability to be practical and pragmatic
– Ability to communicate and explain the context of need for control,
regulations etc. and the benefits of taking action
– Analysis ability – root cause determination
– Able to put theory into practice, be knowledgeable of real world
examples
– Objectivity and independence
– Coaching, mentoring and skills transfer competence so that others
learn control theory
– Negotiating skills to persuade others
Figure 6.6.2

IT Governance Developing a Successful Governance Strategy
34 35
Developing Skills
Demonstrating commitment by senior management for the importance of IT Governance and the value of being competent,
removing cultural barriers and improving communications are all critical success factors for improving competence.
Suggested techniques for improving skills by each group of role players are shown below:
Investors
O b t a i n e x t e r n a l e x p e r i e n c e s t o h e l p p o s i t i o n a n d c h a l l e n g e i n t e r n a l a c t i v i t i e s
O b t a i n “ 3 6 0 d e g r e e f e e d b a c k ”
C o n s i d e r a p p o i n t i n g E x e c u t i v e m e n t o r i n g a d v i s o r s
O b t a i n a n d r e a d E x e c u t i v e b r i e f i n g s
S e e k n o n – e x e c u t i v e c h a l l e n g e s t o t h e B o a r d
C o n s i d e r e x t e r n a l E x e c u t i v e I T a w a r e n e s s c o u r s e s
F o s t e r c u l t u r a l c h a n g e a c t i v i t i e s
F o s t e r c o l l a b o r a t i v e w o r k i n g a n d c o – l o c a t i o n
E n a b l e j o b e x c h a n g e s t o i m p r o v e a w a r e n e s s
Providers
F o r m a l i s e d o c u m e n t a t i o n o f g o v e r n a n c e , s t a n d a r d s a n d b e s t p r a c t i c e s
W h e n t r a i n i n g , f o c u s o n s p e c i a l i s e d a n d r e l e v a n t a r e a s
O r g a n i s e i n t e r n a l e v e n t s t o r a i s e a w a r e n e s s
R o t a t e i n v o l v e m e n t i n g o v e r n a n c e m e e t i n g s t o i m p r o v e u n d e r s t a n d i n g
U s e t h e r e s u l t s o f a s s e s s m e n t s a n d m a t u r i t y m o d e l l i n g t o r a i s e a w a r e n e s s
o f g o v e r n a n c e i s s u e s , g a p s i n c a p a b i l i t y, a n d i m p a c t o n t h e b u s i n e s s o f I T
w e a k n e s s e s
E n s u r e m a n a g e m e n t a n d c o n t r o l o f I T i s t a k e n s e r i o u s l y
M a n a g e t h e t r a n s f e r o f s k i l l s f r o m t h e s p e c i a l i s t s t o t h e o r g a n i s a t i o n
The sequence of events should be:
1 . Tr a i n i n g
2 . E s t a b l i s h a n e n v i r o n m e n t w h i c h f o s t e r s g o v e r n a n c e
3 . R o l l o u t t h e p r o c e s s e s a n d s k i l l s
4 . M e a s u r e c o m p l i a n c e w i t h s t a n d a r d s a n d r e i n f o r c e
Controllers
S k i l l s d e v e l o p m e n t i s o f t e n m o r e a b o u t l e a r n i n g o n t h e j o b t h a n a b o u t t r a i n i n g
c o u r s e s
U n d e r s t a n d t h e b u s i n e s s , h o w I T a f f e c t s t h e b u s i n e s s , t h e I T r e l a t e d b u s i n e s s r i s k s ,
a n d w h y I T n e e d s t o b e c o n t r o l l e d
F o c u s o n P r o f e s s i o n a l t r a i n i n g i n I T G o v e r n a n c e a n d c o n s i d e r c e r t i f i c a t i o n i n
r e l e v a n t s k i l l s
M a i n t a i n c o n t i n u i n g p r o f e s s i o n a l d e v e l o p m e n t
C o n s i d e r ` s o f t ` s k i l l s t r a i n i n g t o i m p r o v e c o m m u n i c a t i o n a n d i n f l u e n c i n g s k i l l s
Retention of Skills
The most effective way to retain IT Governance skills is by establishing standards and practices within the organisation
rather than only within individuals. This reduces reliance on key individuals and ensures sustainable processes are put into
place. In addition:
A t a l l l e v e l s t h e r e w i l l b e a n e e d t o r e f r e s h s k i l l s c o n t i n u a l l y b e c a u s e o f t h e
c h a n g i n g n a t u r e o f I T
S k i l l s t r a n s f e r s h o u l d a l w a y s b e e n c o u r a g e d , e s p e c i a l l y f r o m e x p e r t s t o o p e r a t i o n a l
s t a f f
P r o v i d e r s m u s t b e v a l u e d f o r t h e i r g o v e r n a n c e s k i l l s a n d e n c o u r a g e d t o i n v e s t i n
t h e m . T h i s i s e s p e c i a l l y t r u e o f e x t e r n a l s e r v i c e p r o v i d e r s .
I n d u c t i o n t r a i n i n g i s r e q u i r e d f o r n e w j o i n e r s , e s p e c i a l l y t h o s e h o l d i n g k e y p o s i t i o n s
i n c o n t r o l l e r f u n c t i o n s .

IT Governance Developing a Successful Governance Strategy
34 35
If there is institutionalised, sustained implementation of IT governance then the environment will support continual skills
growth.
Verifying Skills
The best way to verify competence is to include governance skills in the appraisal process. This should be based on
performance on the job:
C l e a r j o b o b j e c t i v e s a n d r o l e d e f i n i t i o n f o r I T G o v e r n a n c e
I T G o v e r n a n c e c o m p e t e n c i e s r e q u i r e d f o r r o l e
R e v i e w o f c o m p e t e n c y p e r f o r m a n c e
In addition, surveys can be carried out periodically to measure the level of awareness in key competencies. This technique can
also be a valuable awareness raising and reinforcing technique. Another approach to verifying competence is to measure the
maturity of IT Processes, focusing on competency aspects. The chart below shows generically how this could be done based
on guidance from CobiT’s Management Guidelines (Figure 6.7).
6.8 When to source competence from outside
Acquiring IT Governance competence from outside the organisation will be driven by two different objectives:
W h e n i t i s m o r e c o s t – e f f e c t i v e t o o u t s o u r c e s k i l l s t h a t a r e n o t a v a i l a b l e i n – h o u s e
W h e n o u t s i d e i n p u t o f e x p e r t i s e i s b e n e f i c i a l i n i t s o w n r i g h t
However, if implementation of IT Governance is to be successful and sustainable, competence will have to be developed
within the organisation, since management of IT must be owned within the organisation. In many organisations where all or
significant parts of the IT service have been outsourced, responsibility and competence for controlling use of these services
should still be retained internally. It is essential to retain sufficient skills internally to be able to sustain the business – and to
understand and manage what is being outsourced.
6.9 Key learning points
The following list of key points have been identified by the IMPACT IT Governance SIG and should be considered when
developing IT Governance skills:
S k i l l s o p t i m i s a t i o n
G o v e r n a n c e s k i l l s a r e n o r m a l l y f o u n d a t t h e t o p l e v e l , b u t a r e t y p i c a l l y n o t
u n d e r s t o o d i n t h e c o n t e x t o f I T
T h e a p p o i n t m e n t o f a n I T G o v e r n a n c e m a n a g e r a n d t e a m s h o u l d n o t b e p e r m a n e n t
b e c a u s e g o v e r n a n c e p r a c t i c e s h o u l d b e c o m e b u s i n e s s a s u s u a l
Risk Management6
Generic Maturity Model for
Governance Competence
(CobiT)
Understanding &
Awareness
Training & Communication Expertise
1 Initial/Ad Hoc Recognition
Sporadic communication on
issues

2 Repeatable but Intuitive Awareness
Communication on the overall
issues and needs

3 Defined Process Understanding of need to act
Informal training supports
individual initiatives
IT Governance expertise exists
within the Process owner and
team
4 Managed & Measurable Understand full requirements
Formal training supports a
managed programme
IT Governance expertise is
monitored and measured outside
the Process
5 Optimised
Advanced, forward-looking,
understanding
Training and communications
support external best practices
and use leading edge concepts
Use of external experts and
industry leaders for guidance,
comparison to best practices
Figure 6.7

IT Governance Developing a Successful Governance Strategy
36 37
P e o p l e m u s t u n d e r s t a n d w h y g o v e r n a n c e i s i m p o r t a n t
G o v e r n a n c e s k i l l s n e e d t o b e t r a n s f e r r e d f r o m t h e s p e c i a l i s t s t o t h e o r g a n i s a t i o n a s
a w h o l e
T h e b e s t a p p r o a c h t o t r a i n i n g i s l e a r n i n g b y d o i n g a n d b e i n g p a r t o f t h e p r o c e s s
The sequence of events should be:
1 . S p e c i a l i s e d t r a i n i n g
2 . E s t a b l i s h a n e n v i r o n m e n t w h i c h f o s t e r s g o v e r n a n c e
3 . R o l l o u t t h e p r o c e s s e s a n d s k i l l s
4 . M e a s u r e c o m p l i a n c e w i t h s t a n d a r d s a n d r e – e n f o r c e

IT Governance Developing a Successful Governance Strategy
36 37
7 SupplierGovernance
7.1 Why is Supplier Governance important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
7.2 The customer’s role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
7.3 How best to select a supplier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
7.4 The customer/supplier relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
7.5 Service management techniques and SLAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7.6 The supplier/outsourcing governance lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Every organisation relies on numerous suppliers to support their business and IT strategy. It is not unusual for external organisations to provide critical IT infrastructure (such as telecommunications networks, hosted data centres, and
software applications) used by critical business processes, and increasingly the trend is to outsource significant parts of the
internal IT function.
Effective governance of IT suppliers is therefore a key component of IT Governance, to make sure that risks are managed
and value is delivered from the investment in supplier products and services. Most organisations are highly dependent on
a limited number of key suppliers, and so governance should be focused on those relationships with the greatest risk and
investment. For supplier governance to be effective the role of the customer is crucial. The customer should take ownership of
the whole transaction from defining requirements and selection all the way through to engagement, operation and termination.
Even when the bulk of IT is outsourced, several key functions should be retained because they supply continuity for clients
of IT, provide for the oversight of the outsourcer, are highly specific to the way the business operates, and are strategic to the
organisation. To some extent, the mix will vary with the reason(s) for outsourcing and which functions have been outsourced.
However, all organisations will need to retain some expertise in strategic functions, such as project oversight, architecture,
planning, vendor management, and security.
One of the best ways to establish effective supplier governance is to focus on the relationship
T h e c o r r e c t f o r m o f t h e r e l a t i o n s h i p ( c o m m o d i t y p r o v i s i o n , ‘ m a r k e t r e l a t i o n s h i p ’
a l l o w s c l e a r l y d e f i n a b l e b o u n d a r i e s b e t w e e n c l i e n t a n d s u p p l i e r, w h i l e t h e
‘ p a r t n e r s h i p ’ e n d o f t h e s c a l e r e q u i r e s a n o n g o i n g a n d c l o s e c o o p e r a t i o n )
H o w b o t h p a r t i e s e n g a g e w i t h e a c h o t h e r
C o m m i t m e n t b y b o t h p a r t i e s a t a s e n i o r l e v e l
R e s p o n s i b i l i t y a n d a c c o u n t a b i l i t y b y s e n i o r d e c i s i o n m a k e r s o n b o t h s i d e s
S p e c i f i c a t i o n o f g o v e r n a n c e r e s p o n s i b i l i t i e s i n a “ g o v e r n a n c e s c h e d u l e ” w i t h i n t h e
c o n t r a c t
Try to create a win/win partnership so that both parties are motivated for success – beating down the supplier is generally
seen as poor practice, while cooperation, considered openness and mutuality of benefit defines the basis for better working
relationships.
Underpinning the customer/supplier relationship should be formal service level agreements which define objectives and
measures in customer relevant terms, managed according to service management best practices such as ITIL.
7.1 Why is Supplier Governance important?
“Because organisations are relying more and more on IT, management needs to be more aware of critical IT risks and whether
they are being managed. Furthermore, if there is a lack of clarity and transparency when taking significant IT decisions, this
can lead to reluctance to take risks and a failure to seize technology opportunities. There is a realisation that because IT is
complex and has its own fast changing and unique conditions, the need to apply sound management disciplines and controls
is even greater.” (IT Governance – The Business Case)
Most organisations are highly dependent on a limited number of key suppliers, and so governance should to be focused
on those relationships with the greatest risk and investment. The outsourcing of a function or service is likely to be a major
Supplier Governance7

IT Governance Developing a Successful Governance Strategy
38 39
strategic decision which should be governed carefully. Outsourcing is also a huge global commercial business opportunity for
the service providers who will compete fiercely for market share. In such a complex technical and commercial situation, proper
governance is crucial to help avoid potential service failures and large financial losses.
7.2 The customer’s role
For supplier governance to be effective, the role of the customer is crucial. The customer should take ownership of the whole
transaction from defining requirements and selection all the way through to engagement, operation and termination. It is
essential that what is outsourced by the customer is NOT its core competency as this is what defines what the organisation
is, how customers perceive it and how it retains its position in the marketplace. Only under a limited set of circumstances, one
example being technology catch-up, should core competencies be outsourced. The supplier is of course also a stakeholder
and will want to ensure the relationship is properly managed, and that the financial and operational requirements are
acceptable. It will be in the customer’s interest to balance the supplier’s needs with his own in order to arrive at a solution that
provides reasonable incentives for the supplier while properly meeting the customer’s needs.
If the relationship is critical in support of the customer’s business strategy (which will be the case if significant outsourcing
is planned, or if critical infrastructure needs to be supported), then the customer’s role in ensuring effective governance will
be particularly important and should address:
Unclear buyer
expectations
23%
Misaligned
interests
15%
Poor Governance
13%
Not mutually
beneficial 11%
Other 11%
Poor
communication
11%
Provider’s poor
performance 8%
Poor cultural
fit 5%
Buyer’s
multi-buyer
environment
3%
Figure 7.1: Causes of outsourcing failures – source Outsourcing Center 2004

IT Governance Developing a Successful Governance Strategy
38 39
D i s c i p l i n e o v e r m a n a g i n g t h e t r a n s a c t i o n a n d t r a n s p a r e n c y o f t h e r e s u l t s
I n d e p e n d e n c e f r o m t h e s u p p l i e r
A c c o u n t a b i l i t y a n d r e s p o n s i b i l i t y f o r k e y d e c i s i o n s
I n c r e a s i n g s t a k e h o l d e r v a l u e ( b o t h i n t e r n a l a n d f o r t h e s u p p l i e r )
K e y g o v e r n a n c e s t e p s a t e a c h s t a g e , b e s t d e f i n e d i n a g o v e r n a n c e s c h e d u l e i n
t h e c o n t r a c t , a n d i n a s h a r e d p r o c e d u r e m a n u a l w h e r e k e y r e s p o n s i b i l i t i e s a n d
e s c a l a t i o n p r o c e d u r e s a r e d e f i n e d .
How to be an effective customer
Organisation
F o c u s o n w h a t ’s c r i t i c a l
H a v e t h e r i g h t c a p a b i l i t y t o m a n a g e I T s u p p l i e r s
E n s u r e t h e r e a r e c l e a r r o l e s a n d r e s p o n s i b i l i t i e s o n t h e c u s t o m e r ’s s i d e o f t h e
r e l a t i o n s h i p
E n s u r e t h e r e i s a n E x e c u t i v e l e v e l s p o n s o r w h o w i l l b e r e s p o n s i b l e a n d a c c o u n t a b l e
f o r a l l s i g n i f i c a n t d e c i s i o n s r e g a r d i n g k e y s u p p l i e r s
C o m m i t l o n g – t e r m
E s t a b l i s h r e l a t i o n s h i p s a t m u l t i p l e l e v e l s
O r g a n i s e s u p p l i e r s a c c o r d i n g t o c r i t i c a l i t y a n d r o l e s
Technical
M a n a g e t e c h n i c a l I T i s s u e s t o e n s u r e c o n f o r m a n c e w h e r e n e c e s s a r y a n d
c o m p a t i b i l i t y w i t h i n – h o u s e t e c h n i c a l s t a n d a r d s
E n s u r e a l l r e l e v a n t l e g a l a n d r e g u l a t o r y r e q u i r e m e n t s h a v e b e e n c o n s i d e r e d
S t a n d a r d i s e a n d c o m m o d i t i s e s o l u t i o n s w h e r e v e r p o s s i b l e
S e t r e a l i s t i c e x p e c t a t i o n s r e g a r d i n g s e r v i c e d e l i v e r y
Ta k e t i m e t o u n d e r s t a n d p r o d u c t a n d s e r v i c e o f f e r i n g s
U n d e r s t a n d h o w y o u r o w n I T a s s e t s m a y b e a f f e c t e d b y s u p p l y o f e x t e r n a l p r o d u c t s
o r s e r v i c e
E n s u r e t h e r e i s g o o d c o n t r o l o f t h e i n t e r n a l e n v i r o n m e n t a f f e c t e d b y t h e e x t e r n a l
s u p p l y
Project Approach
Ta k e c a r e t o m a n a g e a l l s t a f f r e l a t e d i s s u e s
S e t u p a c o – o r d i n a t i o n c o m m i t t e e o f s e n i o r c u s t o m e r r e p r e s e n t a t i v e s
M a k e s u r e t h e r e i s a p r o c e s s f o r b o t h p a r t i e s t o f o l l o w
B u i l d i n t o t h e r e q u i r e m e n t s a n d c o n t r a c t p l a n s f o r t r a n s i t i o n / t r a n s f o r m a t i o n f r o m t h e
c u r r e n t s t a t e t o a n o u t s o u r c e d s e r v i c e
A p p r o a c h c o n t r a c t s a n d r e l a t i o n s h i p s i n a b a l a n c e d w a y e n s u r i n g r i s k s h a v e b e e n
c o n s i d e r e d i n t h e c o n t e x t o f t h e v a l u e e x p e c t e d f r o m t h e s u p p l i e r
Av o i d t h e d a n g e r o f m i x e d m e s s a g e s c o m i n g f r o m d i f f e r e n t p a r t s o f t h e c u s t o m e r
o r g a n i s a t i o n
M a k e s u r e t h e r e i s t o p – d o w n m a n a g e m e n t c o m m i t m e n t t o s u p p o r t a l l k e y d e c i s i o n s
How to monitor and measure
1. Identify a limited range of meaningful and measurable key measures e.g.:
P e r f o r m a n c e
F i n a n c i a l
R i s k s
C o m p l i a n c e
R e l a t i o n s h i p
Va l u e a d d e d
D e l i v e r y
2. Take ownership and define and obtain agreement for all measures
3. Supplier senior management should:
Supplier Governance7

IT Governance Developing a Successful Governance Strategy
40 41
P r o v i d e d a t a f o r a l l m e a s u r e s h e i s r e s p o n s i b l e f o r
M o n i t o r d e l i v e r y p e r f o r m a n c e
A g r e e r e m e d i a l a c t i o n w i t h c u s t o m e r
C o m m i t r e m e d i a l a c t i o n s
4. Customer IT service management should:
B e r e s p o n s i b l e f o r m o n i t o r i n g a n d r e p o r t i n g
P r i o r i t i s e a n d r e c o m m e n d a c t i o n s
5. Customer should:
P r o v i d e c u s t o m e r s a t i s f a c t i o n m e a s u r e m e n t d a t a
C o n s i d e r b e n c h m a r k i n g t o o t h e r o r g a n i s a t i o n s a n d o t h e r s e r v i c e s
What functions should be retained by the customer?
(Reference Forrester Research “Functions to Retain when Outsourcing, July 2004)
Even when the bulk of IT is outsourced, several key functions should be retained because they supply continuity for clients
of IT, provide for the oversight of the outsourcer, are highly specific to the way the business operates, and are strategic to the
organisation. To some extent, the mix will vary with the reason for outsourcing. However, all organisations will need to retain
some expertise in strategic functions.
7.3 How best to select a supplier
The following steps are suggested:
1 . R e s e a r c h t h e m a r k e t s t o i d e n t i f y p r e f e r r e d s u p p l i e r s
2 . C o n s i d e r t h e s i z e o f s u p p l i e r c o m p a r e d t o y o u r o r g a n i s a t i o n a n d y o u r
r e q u i r e m e n t s
3 . C o n s i d e r t h e n e e d t o i n t e g r a t e s e v e r a l s u p p l i e r s
4 . D o d u e d i l i g e n c e r e v i e w s
5 . P r e p a r e a n e f f e c t i v e R F P
6 . S e e k e y p e o p l e
7 . C o n s i d e r p i l o t s a n d p r e – p r o j e c t t r i a l s
8 . C h e c k t r a c k r e c o r d
9 . C o n s i d e r i m p a c t o f a n y o f f – s h o r e s i t u a t i o n s
7.4 The customer/supplier relationship
One of the best ways to establish effective supplier governance is to focus on the relationship:
H o w b o t h p a r t i e s e n g a g e w i t h e a c h o t h e r
C o m m i t m e n t b y b o t h p a r t i e s a t a s e n i o r l e v e l
R e s p o n s i b i l i t y a n d a c c o u n t a b i l i t y b y s e n i o r d e c i s i o n m a k e r s o n b o t h s i d e s
S p e c i f i c a t i o n o f g o v e r n a n c e r e s p o n s i b i l i t i e s i n a “ g o v e r n a n c e s c h e d u l e ” w i t h i n t h e
c o n t r a c t
Make sure each party understands its role. Figure 7.4 summarises how IMPACT SIG members believe each group of
stakeholders should focus in the customer/supplier relationship.

IT Governance Developing a Successful Governance Strategy
40 41
7.5 Service management techniques and SLAs
Underpinning the customer/supplier relationship should be formal service level agreements, managed according to service
management best practices. ITIL is recommended as the best source of guidance in this area, and the IMPACT SIG
members recommended the following techniques:
U s e a s u p p l i e r g o v e r n a n c e f r a m e w o r k t o d r i v e s e r v i c e m a n a g e m e n t p r a c t i c e s
( f i g u r e 7 . 5 ) .
C r e a t e a s e r v i c e m a n a g e m e n t b o a r d t o o v e r s e e s e r v i c e d e l i v e r y
C r e a t e a s e r v i c e c o d e o f p r a c t i c e “ h o w t o e n g a g e ”
A d o p t s t a n d a r d p r o c e s s e s f o r m a n a g i n g t h e s e r v i c e s
D e v e l o p a c o m m o n l a n g u a g e a n d c o m m o n u n d e r s t a n d i n g o f s e r v i c e o b j e c t i v e s
E n s u r e t h e r e i s a c l e a r d e f i n i t i o n o f s e r v i c e s c o p e
D e f i n e t h e s c o p e o f t h e r e t a i n e d I T f u n c t i o n
M a i n t a i n t h e c o n t r a c t a s a r e s u l t o f s e r v i c e c h a n g e s
C r e a t e a p o l i c y a n d p r o c e d u r e m a n u a l f o r b o t h p a r t i e s t o f o l l o w
W h e r e p o s s i b l e d e f i n e a s e r v i c e c r e d i t r e g i m e – t h i s d e s c r i b e s h o w ‘ o v e r s a n d
u n d e r s ’ o n t h e s e r v i c e p r o v i s i o n a r e h a n d l e d w i t h o u t r e c o u r s e t o h a r d , f i x e d
p e n a l t i e s
Supplier Governance7
Party Stakeholder Focus
Customer
Investors
Define outsourcing and procurement strategy
Define supplier governance framework
Provide supplier with strategic direction
Approve contracts and any changes
Consider future business requirements
Define business objectives
Evaluate performance
Providers
Specify architecture
Define business requirements
Manage relationship
Manage projects
Monitor service
Controllers
Verify financial ROI
Manage contract
Assess and monitor risk
Ensure legal/regulatory compliance
Perform financial analysis
Ensure supplier service audit
Establish security policy
Supplier
Investors
Define business objectives
Protect supplier and customer investments
Commit resources for delivery
Define service strategy
Define governance framework
Providers
Define services
Define service levels
Monitor service quality
Controllers
Measure financial performance
Monitor risk management
Manage contracts
Figure 7.4

IT Governance Developing a Successful Governance Strategy
42 43
7.6 The supplier/outsourcing governance lifecycle
The outsourcing lifecycle is useful in determining major points for governance throughout the contract, but more importantly
ensures a common understanding of the major processes (Figure 7.6).
Figure 7.5
Figure 7.6

IT Governance Developing a Successful Governance Strategy
42 43
8 IT & Audit Working Together & Using
CobiT
8.1 Introduction to CobiT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8.2 How is CobiT being used? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.3 What are the roles of IT and Audit for IT Governance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
8.4 How can IT and internal audit work better together? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
The growing interest in IT Governance and increasing pressure to deal with regulatory compliance (e.g. Sarbanes Oxley), and a continuing focus on security, has made IT management much more involved in risk management and control
activities. There is therefore a need for IT management to work more closely with IT auditors.
For many years there have been barriers between auditors (both internal and external) and auditees (IT functions and
business units). This can be due to communication gaps, hidden checklists, and a failure to collaborate on control assessment
and control improvement. A more effective approach requires better recognition of one another’s role and alignment to a
mutually accepted and understood control framework, so that everyone is “on the same page”.
CobiT is an IT Control and Governance Framework that is increasingly being adopted by organisations around the world as
a common reference model for IT Control. CobiT has historically been mostly used by IT auditors but the trend now is for IT
management to use CobiT as a basis for IT process ownership, a reference model for good controls and as a way to integrate
other best practices under one “umbrella” aligned to business needs. More advanced users make use of CobiT’s maturity
modelling and metrics to measure performance and drive improvement initiatives.
As a consequence, many IT functions and IT service providers are adopting CobiT as part of their operational control
framework.
8.1 Introduction to CobiT
Business orientation is the main theme of CobiT. It is designed to be employed not only by users and auditors, but also, and
more importantly, as comprehensive guidance for management and business process owners. Increasingly, business practice
involves the full empowerment of business process owners so they have total responsibility for all aspects of the business
process. In particular, this includes providing adequate controls. The CobiT Framework provides a tool for the business process
owner that facilitates the discharge of this responsibility. The Framework starts from a simple and pragmatic premise:
In order to provide the information that the organisation needs to achieve its objectives, IT resources
need to be managed by a set of naturally grouped processes.
The Framework continues with a set of 34 high-level Control Objectives, one for each of the IT processes, grouped into four
domains: planning and organisation, acquisition and implementation, delivery and support, and monitoring. This structure
covers all aspects of information and the technology that supports it. By addressing these 34 high-level control objectives, the
business process owner can ensure that an adequate control system is provided for the IT environment.
IT Governance guidance is also provided in the CobiT framework. IT Governance provides the structure that links IT processes,
IT resources and information to enterprise strategies and objectives. IT Governance integrates optimal ways of planning and
organising, acquiring and implementing, delivering and supporting, and monitoring IT performance. IT Governance enables
the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining
competitive advantage.
In addition, corresponding to each of the 34 high-level control objectives is an Audit Guideline to enable the review of IT
processes against CobiT’s 318 recommended detailed control objectives to provide management assurance and/or advice
for improvement.
IT & Audit Working Together & Using CobiT8

IT Governance Developing a Successful Governance Strategy
44 45
The Management Guidelines further enhances and enables enterprise management to deal more effectively with the needs
and requirements of IT governance. The guidelines are action oriented and generic and provide management direction for
getting the enterprise’s information and related processes under control, for monitoring achievement of organisational goals,
for monitoring performance within each IT process and for benchmarking organisational achievement. CobiT’s Management
Guidelines are generic and action oriented for the purpose of answering the following types of management questions: How
far should we go, and is the cost justified by the benefit? What are the indicators of good performance? What are the critical
success factors? What are the risks of not achieving our objectives? What do others do? How do we measure and compare?”
(CobiT Framework 2000, www.itgi.org)
ISACA recognised in the early 1990’s that auditors, who had their own checklists for assessing IT controls, were talking a
different language to business managers and IT practitioners. In response to this communication gap, CobiT was created as
an IT control framework for business managers, IT managers and auditors, based on a generic set of IT processes meaningful
to IT people. The best practices in CobiT are a common approach to good IT control – implemented by business and IT
managers, and assessed on the same basis by auditors. Over the years CobiT has been developed as an open standard and
is now increasingly being adopted as the control model for implementing and demonstrating effective IT Governance.
Today, as every organisation tries to deliver value from IT while managing an increasingly complex range of IT related risks,
the effective use of best practices can help to avoid re-inventing wheels, optimise use of scarce IT resources, and reduce
the occurrence of major IT risks such as:
P r o j e c t f a i l u r e s
Wa s t e d i n v e s t m e n t s
S e c u r i t y b r e a c h e s
S y s t e m c r a s h e s
F a i l u r e s b y s e r v i c e p r o v i d e r s t o u n d e r s t a n d a n d m e e t c u s t o m e r r e q u i r e m e n t s
Due to its high level and broad coverage, and because it has been based on many existing practices, CobiT is often referred
to as the “integrator”, bringing disparate practices under one “umbrella” and just as importantly, helping to link these various
IT practices to business requirements.
8.2 How is CobiT being used?
Although the long-term aim of CobiT was to be a common framework used by management and auditors, it began as an Audit
reference. This was largely due to its origins within ISACA and its early adoption by ISACA members who are mostly from the
computer audit profession. Over the years its usage has widened out into the IT community and nowadays this is the fastest
growing user segment. Whereas auditors have been using CobiT mostly as a controls checklist, IT managers see it more as a
“best practice” framework for performance measurement and improvement planning. With increasing regulatory requirements
such as Sarbanes-Oxley in the US, both auditors and IT managers are adopting CobiT as the compliance framework for IT
controls. The CobiT IT Process model has helped convey a view of IT understandable to business management, auditors and
IT, and at the same time provide a basis for IT functions to organise themselves into a process structure with accountable
process owners.
The maturity modelling and metrics concepts within CobiT are probably the most popular for IT managers, providing an easy
and powerful technique for positioning IT control gaps in the context of business requirements. The profiles and scorecards
that results are a powerful tool for communicating with senior management and demonstrating the reality of current IT
capability in relation to what the business might have expected.
As organisations have adopted the CobiT approach, it has driven the professional Audit firms to follow similar approaches,
and to integrate CobiT into their internal proprietary methodologies. This has helped to break down communication barriers
and improve the mutual understanding of IT controls. There is also a trend among service providers to use CobiT and other
best practices to improve their market image and quality of service. This is also helping to improve communication of control
issues and make it easier to manage and audit IT activities against a commonly accepted basis. Because CobiT is open and
independent of any specific vendor all parties can use it freely. It is not a “standard” as such but a “best practice” framework
and set of guidance materials to be tailored for each specific situation.
There is currently a great deal of focus on the Sarbanes-Oxley Act in the US, and the reporting requirements that this
legislation requires for Company Directors. Many companies are using CobiT as the framework for reporting the status of IT
systems and controls, and consequently a massive CobiT-based controls documentation effort is underway. While Sarbanes-
Oxley has been very useful for putting IT governance and control on the Board’s agenda, there is a danger that the effort will
be limited to a documentation exercise to achieve compliance. The real value from any control evaluation, especially when
based on CobiT, is the identification of control gaps and the implementation of a sustainable improvement programme. There

IT Governance Developing a Successful Governance Strategy
44 45
is an analogy with the Y2K experience in that Sarbanes-Oxley should not be a one off exercise but an ongoing programme for
improving management control and establishing governance.
8.3 What are the roles of IT and Audit for IT Governance?
Role of IT Audit
I T G o v e r n a n c e i s a m a n a g e m e n t r e s p o n s i b i l i t y, a n d t h e r e f o r e n o t t h e s o l e
r e s p o n s i b i l i t y o f a n A u d i t f u n c t i o n . T h e A u d i t f u n c t i o n s h o u l d r e m a i n i n d e p e n d e n t ,
b u t t h i s c a n p r o v i d e a n e x c e l l e n t p o s i t i o n t o i n f l u e n c e a n d r e c o m m e n d c h a n g e .
I n d e p e n d e n c e s h o u l d n o t i n h i b i t p r o v i s i o n o f a d v i c e , s o l o n g a s m a n a g e m e n t t a k e
f u l l r e s p o n s i b i l i t y a n d a c c o u n t a b i l i t y f o r i m p l e m e n t a t i o n a n d o p e r a t i o n o f c o n t r o l s .
Ta k i n g r e s p o n s i b i l i t y f o r e n a b l i n g a n I T G o v e r n a n c e i n i t i a t i v e o r f o r i n i t i a t i n g
g o v e r n a n c e p r o j e c t s s h o u l d n o t c o m p r o m i s e A u d i t .
I T G o v e r n a n c e r e q u i r e s m a n a g e m e n t c o m m i t m e n t a n d o w n e r s h i p w i t h i n I T a n d t h e
b u s i n e s s i n o r d e r t o m a k e i t h a p p e n . A u d i t c a n t h e n d e t e r m i n e i f i t i s h a p p e n i n g , a n d
p r o v i d e a s s u r a n c e t o t h e b o a r d .
W h e n r e v i e w i n g G o v e r n a n c e , A u d i t m u s t d o m o r e t h a n j u s t i d e n t i f y p r o b l e m s . T h e y
n e e d t o i d e n t i f y r o o t c a u s e s a n d m a k e c o n s t r u c t i v e r e c o m m e n d a t i o n s .
A u d i t c a n t e s t c o n t r o l s e s p e c i a l l y w h e r e c o n t r o l i s c r i t i c a l a n d a s s u r a n c e i s
r e q u i r e d . B u t i n c r e a s i n g l y t h e r e i s a t r e n d f o r I T t o “ t e s t t h e m s e l v e s ” b y p e r f o r m i n g
s e l f – a s s e s s m e n t s .
A u d i t c a n p l a y a p a r t i n s e t t i n g s t a n d a r d s , a n d p r o v i d i n g c o n t r o l c r i t e r i a a n d c o n t r o l
b e n c h m a r k s , p a r t i c u l a r l y i n r e s p e c t o f e x t e r n a l r e g u l a t i o n .
G i v e n t h e s p e e d o f I T c h a n g e a n d t h e h i g h c o s t o f d e v e l o p m e n t p r o j e c t s , i t m a k e s
s e n s e t o i n v o l v e a u d i t o r s i n p r o j e c t s . To b e e f f e c t i v e a u d i t o r s m u s t :
– B e c r e d i b l e a n d c o n f i d e n t t o g a i n t h e r e s p e c t o f I T
– N o t w a i t u n t i l t h e e n d o f a p h a s e t o c r i t i q u e – b u t g i v e p r o – a c t i v e g u i d a n c e o n
w h a t s h o u l d b e d o n e
Role of IT
I T h a s t o b e r e s p o n s i b l e f o r c h a n g i n g t h e c u l t u r e o f t h e I T o r g a n i s a t i o n , f o r
m a n a g i n g t h e I T p r o c e s s e s , a n d a d o p t i n g a f o c u s o n c o n t r o l s .
I T p r o f e s s i o n a l s o f t e n h a v e a p o o r u n d e r s t a n d i n g o f w h a t c o n t r o l s a r e a n d w h y t h e y
a r e n e e d e d . E d u c a t i o n i n c o n t r o l p r i n c i p l e s m a y b e n e e d e d , a n d a u d i t c a n h e l p w i t h
t h i s b y w o r k i n g t o g e t h e r w i t h I T, a n d b y p r o v i d i n g t r a i n i n g , w o r k s h o p s a n d s t a f f
s e c o n d m e n t s .
A c o m m o n f r a m e w o r k a n d u n d e r s t a n d i n g i s n e e d e d i n o r d e r t o e n s u r e t h a t I T
M a n a g e m e n t i s e x e r c i s i n g I T G o v e r n a n c e . U s i n g a c o m m o n f r a m e w o r k f o r c o n t r o l
s u c h a s C o b i T, w i l l h e l p t o e n s u r e t h a t e v e r y o n e i s “ o n t h e s a m e p a g e ” .
T h e C I O a n d H e a d o f I n t e r n a l A u d i t s h o u l d w o r k t o g e t h e r t o d r i v e c h a n g e .
I T s h o u l d t a k e a l e a d o n g o v e r n a n c e ; a u d i t c a n “ s o w t h e s e e d s ” .
I f I T ( a s s o o f t e n ) i s i n ` f i r e f i g h t i n g ` m o d e i t i s h a r d e r f o r t h e m t o d r i v e
g o v e r n a n c e .
E x e c u t i v e m a n a g e m e n t m a y p o i n t t o h i s t o r i c d a t a a s s h o w i n g n o p r o b l e m s – s o
w h y s h o u l d t h e y w o r r y a b o u t g o v e r n a n c e ? H o w e v e r, t h e p r o b l e m s c a n u s u a l l y b e
i d e n t i f i e d b y I T d i g g i n g i n t o p r o c e s s f a i l u r e s – e . g . p r o j e c t d e l a y a n d e x c e s s c o s t .
I T m a n a g e m e n t h a v e t o b e c o n f i d e n t o f t h e i r p o s i t i o n t o d r a w a t t e n t i o n t o i n t e r n a l
w e a k n e s s e s .
8.4 How can IT and internal audit work better together?
Increasingly, control self-assessments are being performed by IT functions because it is more efficient than relying on limited
IT audit resources, and more likely to motivate corrective action.
Typical examples using self-assessments are:
R i s k a s s e s s m e n t s
C o m p l i a n c e w i t h s p e c i f i c s t a n d a r d s ( I S O 1 7 7 9 9 )
C o m p l i a n c e w i t h r e g u l a t o r y r e q u i r e m e n t s s u c h a s S a r b a n e s – O x l e y
Q u a l i t y o f s e r v i c e a s s e s s m e n t s
IT & Audit Working Together & Using CobiT8

IT Governance Developing a Successful Governance Strategy
46 47
I T P r o c e s s M a t u r i t y a s s e s s m e n t s ( e . g . C o b i T )
The methods used vary from formal schemes, perhaps based on IIA (Institute of Internal Auditors) or Internal Audit
guidance to less formal approaches. All approaches can provide value e.g.:
Q u e s t i o n n a i r e s – b a s e d o n p o l i c y ( e . g . s e c u r i t y ) H o w d o y o u c o n s i d e r y o u h a v e
a d d r e s s e d e a c h o b j e c t i v e ?
S e l f c e r t i f i c a t i o n b y m a n a g e m e n t e . g . S a r b a n e s – O x l e y
F a c e – t o – f a c e i n t e r v i e w s a n d w o r k s h o p s
P r e – d e f i n e d c h e c k l i s t s
IT contribution Governance Phase Audit contribution
Common approach – culture, charter, communication and language, clear ownership
• Get CIO commitment.
• Know your audience when explaining IT
Governance, controls adoption and CobiT.
• Get ownership from the business side, using
business language, RAG charts and scorecards.
Demonstrate strengths and weaknesses.
• Influence the business and the board about IT
management issues (use ITGI Board Briefing)
(www.itgi.org).
• Achieve a balance between regulation and
improvement planning. Leverage regulations for
positive effect.
• Coordinate with service providers who may be a
trigger and may be using CobiT.
Building Awareness &
Ownership
• Provide thought leadership.
• Influence the Board and Audit Committee to take
issues seriously and mandate change.
• Use objective and independent position to
recommend organisational change.
• Don’t just make general recommendations – point
to root causes.
• Provide independent view of the risk profile.
• Regulations like Sarbanes-Oxley can be an
enabler of change – encourage response to be
more than just a documentation exercise.
• Demonstrate benefits.
• Adopt a Framework e.g. CobiT.
• Appoint process owners.
• Liaise with 3rd parties and service providers.
• Integrate existing and other best practices.
Framework Approaches
• Provide thought leadership on available
techniques.
• Perform “open book” audits (no hidden checklists
or issues).
• Ensure business and IT orientation to audit
approach and recommendations.
• Share audit information and documentation.
• Perform risk self assessment.
• Perform business impact analysis with business
units.
• Define business requirements for IT Governance
together with business units.
• Understand impact of regulatory and compliance
issues.
• Perform a maturity self assessment on critical IT
processes.
• Understand risk appetite.
Focus
• Ensure scope alignment (audits versus
governance).
• Identify key risks.
• Analyse audit history and use to prioritise.
• Share planning approach.
• Identify key control weaknesses.
• Define regulatory compliance requirements.
• Coordinate with external auditors.
• Do internal/external benchmarking.
• Internal/external analysis.
• Perform controls self-assessments.
• Perform detailed self maturity assessments.
Assess
• Provide assurance of IT self –assessments.
• Provide positive statements where appropriate.
• Provide independent control evaluations for critical
areas.
• Produce scorecards and RAG charts for IT
performance in business terms.
• Provide explanations for deviations, successes
and significant trends.
Scorecard
• Review and assure measures.
• Provide “Audit scorecards” showing performance
against past audit reports.
• Provide where appropriate independent
scorecards of IT performance.
• Define HOW improvements can be made.
• Create business case for changes.
• Create implementation action plan.
• Provide Project Control and QA.
• Facilitate job rotation/secondees.
Improvement
• Advise on WHAT should be improved.
• Provide training in controls.
• Provide workshops to improve understanding.
• Organise shared events.
• Facilitate job rotation/secondees.
Figure 8.5

IT Governance Developing a Successful Governance Strategy
46 47
The effectiveness of a self-assessment depends on the quality, objectivity, skill and experience of the people performing the
review. Using an alternative means of checking to supplement the questionnaire can help as can obtaining Internal audit input
in an educating/reviewing role.
There are a number of constraints and challenges relating to self-assessments:
L e v e l o f m a t u r i t y
N u m b e r / v o l u m e o f t e s t i n g
R e l i a n c e o n t h e r e s u l t s
– O b j e c t i v i t y
– C o m p l e t e n e s s a n d R i g o u r
R e s o u r c e s – I T i s t y p i c a l l y o v e r l o a d e d w i t h d a y t o d a y p r e s s u r e s
P o l i t i c a l i s s u e s n e e d t o b e a d d r e s s e d – h o w t o g e t m a n a g e m e n t b u y – i n , a n d t h e r e
m a y b e a r e t i c e n c e t o i d e n t i f y a n d q u a n t i f y r i s k s
C u l t u r a l a s p e c t s s h o u l d b e c o n s i d e r e d – e . g . t h e n e e d t o b a l a n c e p o s i t i v e m e s s a g e s
w i t h w e a k n e s s e s
Av o i d r o u t i n e t i c k i n g b o x e s e x e r c i s e s w h i c h a r e m u c h l e s s v a l u a b l e
The following are some practical requirements for self-assessments:
I n d i v i d u a l s p e r f o r m i n g a s s e s s m e n t s r e c o g n i s e a c c o u n t a b i l i t y
T h e r e w i l l b e a n e e d f r a m e w o r k / o b j e c t i v e s / p o l i c y t o s e l f a s s e s s a g a i n s t ( e . g . b a s e d
o n C o b i T )
We l l d e s i g n e d q u e s t i o n n a i r e s – k e e p t h e m s i m p l e w i t h n o a m b i g u i t y, a n d e x a m p l e s
t o a i d i n t e r p r e t a t i o n
C o a c h i n g / t r a i n i n g m a y b e n e e d e d i f u s i n g a w e b – b a s e d q u e s t i o n n a i r e
R e q u i r e s u p p o r t i n g e v i d e n c e t o b e d o c u m e n t e d
Tr a i n i n g m a y b e n e e d e d o n r i s k i d e n t i f i c a t i o n , d e f i n i t i o n , a n d q u a n t i f i c a t i o n
IT & Audit Working Together & Using CobiT8

IT Governance Developing a Successful Governance Strategy
48 49
9 Information Security
Governance
9.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
9.2 What is information security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
9.3 Where to focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
9.4 Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
9.5 Action planning and best practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Executive management has a responsibility to ensure that the organisation provides all users with a secure information systems environment. Sound security is fundamental to achieving this assurance.
Information systems can generate many direct and indirect benefits, and as many direct and indirect risks. These risks
have led to a gap between the need to protect systems and the degree of protection applied. Although awareness of these
security issues has increased significantly at board levels, most senior business managers are uncertain about actions they
should take and rely heavily on technical advisors. Proper governance of security, like any other aspect of IT, requires top
management to be more involved in setting direction and overseeing the management of risk. Faced with the fear of unknown
risks, and uncertainty regarding the effectiveness of existing controls, top management naturally wonder where to focus
attention and set priorities. A risk assessment is usually the best place to start. A complimentary approach is to focus on
establishing a security baseline irrespective of the risks – i.e. ensure that all the basic measures are in place.
Managing investments in the implementation and operation of controls is critical, since security can be an expensive and
time-consuming task, and experience has shown that large sums of money can be wasted on ineffective or inadequately
implemented technical solutions. However, proving security ROI can be difficult since actual reductions in losses or incidents
must be shown, and it is sometimes impossible to know if a risk has been prevented.
There is no doubt though, that the easiest way to demonstrate cash return is by showing the cost of incidents and wherever
possible this should be done even if the examples are based on assumptions rather than actual figures. Increasingly, the
benefits of good security are being recognised by management who understand that security is needed to enable e-business
and that a reputation for good security can enhance customer loyalty, sales and ultimately share price. These benefits should
be considered when building the business case for security investments. Given that IT security is a specialised topic and there
is a shortage of skills, organisations will often seek support from third parties. Information security specialists can play a key
role although governance and final decision-making must remain in-house.
9.1 Background
“In a global information society, where information travels through cyberspace on a routine basis, the significance of
information is widely accepted. In addition, information and the information systems and communications that deliver the
information are truly pervasive throughout organisations—from the user’s platform to local and wide area networks to servers
to mainframe computers. Accordingly, executive management has a responsibility to ensure that the organisation provides all
users with a secure information systems environment. Furthermore, there is a need for organisations to protect themselves
against the risks inherent with the use of information systems while simultaneously recognising the benefits that can accrue
from having secure information systems. Thus, as dependence on information systems increases, security is universally
recognised as a pervasive, critically needed, quality.” (International Federation of Accounts (IFAC) Statement on Managing
Security of Information 1998)
Because new technology provides the potential for dramatically enhanced business performance, improved and demonstrated
information security can add real value to the organisation by contributing to interaction with trading partners, closer customer
relationships, improved competitive advantage and protected reputation. It can also enable new and easier ways to process
electronic transactions and generate trust.” 5
The view of the IMPACT IT Governance SIG is that Information security concerns have increased due to:
5. Information Security Governance: Guidance for Boards of Directors and Executive Management, the IT Governance Institute®.

IT Governance Developing a Successful Governance Strategy
48 49
Te c h n i c a l c o m p l e x i t y
H a c k e r s a n d v i r u s s p r e a d e r s
I n c r e a s i n g e a s e o f u s e , a n d t h e a c c e s s i b i l i t y o f I T s y s t e m s
A n y w h e r e / a n y t i m e a c c e s s
Although awareness of these security issues has increased significantly at board levels, most senior business managers are
uncertain about actions they should take and rely heavily on technical advisors. Proper governance of security, like any other
aspect of IT, requires top management to be more involved in setting direction and overseeing the management of risk.
It is essential therefore for executive management to understand why information security is important and take action to
ensure that:
T h e i m p o r t a n c e o f i n f o r m a t i o n s e c u r i t y i s c o m m u n i c a t e d t o a l l a n d t h a t a p o l i c y
e x i s t s t o u n d e r p i n a c t i v i t i e s i n a c h a n g i n g e n v i r o n m e n t .
T h e o w n e r s h i p a n d r e s p o n s i b i l i t y f o r i n f o r m a t i o n s e c u r i t y i s a c c e p t e d b y s e n i o r
m a n a g e m e n t i n t h e b u s i n e s s a s w e l l a s i n I T.
E v e r y o n e u n d e r s t a n d s t h a t s e c u r i t y w i l l n o t b e s a t i s f i e d s i m p l y b y t h e a p p o i n t m e n t
o f a s e c u r i t y m a n a g e r – t h e s e c u r i t y f u n c t i o n i s t h e r e t o a s s i s t m a n a g e m e n t a n d
s e c u r i t y i s u l t i m a t e l y t h e r e s p o n s i b i l i t y o f e v e r y o n e .
A n y s h o r t a g e o f s k i l l e d r e s o u r c e i n t h i s a r e a i s a d d r e s s e d , a s i t m a y b e i m p o s s i b l e
t o r e t a i n a l l t h e n e c e s s a r y s k i l l s a n d f u n c t i o n s i n – h o u s e .
R e s p o n s i b i l i t y f o r a n y s e c u r i t y a s p e c t s o f c o r p o r a t e c o m p l i a n c e i s a c c e p t e d b y t h e
B o a r d .
Management concerns are focused on:
G a p s – w h a t a n d w h e r e a r e t h e s i g n i f i c a n t a n d s p e c i f i c w e a k n e s s e s i n s e c u r i t y ?
A r e t h e s e w e a k n e s s e s b e i n g a d d r e s s e d ?
A r e r e s o u r c e s a n d m o n e y b e i n g w i s e l y i n v e s t e d a n d a r e t h e r i g h t c o n t r o l s b e i n g
i m p l e m e n t e d i n t h e a r e a s m o s t v u l n e r a b l e t o t h r e a t ?
9.2 What is information security?
One of the causes of poor information security and ineffective governance of information security is a misunderstanding
of what it actually covers and how it should be addressed. The ITGI publication, Information Security Governance:
Guidance for Boards of Directors and Executive Management, describes information security as follows:
“Security relates to the protection of valuable assets against loss, misuse, disclosure or damage. In this context, “valuable
assets” are the information recorded on, processed by, stored in, shared by, transmitted or retrieved from an electronic
medium. The information must be protected against harm from threats leading to different types of vulnerabilities such as
loss, inaccessibility, alteration or wrongful disclosure. Threats include errors and omissions, fraud, accidents and intentional
damage. The objective of information security is “protecting the interests of those relying on information, and the systems and
communications that deliver the information, from harm resulting from failures of availability, confidentiality and integrity.
Information Security Governance9
Policy Development The security objective and core principles provide a framework for the first critical step for any
organisation – developing a security policy.
Roles & Responsibilities For security to be effective, it is imperative that individual roles, responsibilities, and authority
are clearly communicated and understood by all.
Design Once a policy has been approved by the governing body of the organisation and related roles
and responsibilities assigned, it is necessary to develop a security and control framework that
consists of standards, measures, practices, and procedures.
Implementation Once the design of the security standards, measures, practices, and procedures has been
approved, the solution should be implemented on a timely basis, and then maintained.
Monitoring Monitoring measures need to be established to detect and ensure correction of security
breaches, such that all actual and suspected breaches are promptly identified, investigated,
and acted upon, and to ensure ongoing compliance with policy, standards, and minimum
acceptable security practices.
Awareness, Training, &
Education
Awareness of the need to protect information, training in the skills needed to operate
information systems securely, and education in security measures and practices are of critical
importance for the success of an organisation’s security program.
Figure 9.2

IT Governance Developing a Successful Governance Strategy
50 51
According to the IFAC guidance, the major activities associated with Information Security management relate to the items in
Figure 9.2.
9.3 Where to focus
Faced with the fear of unknown risks, and uncertainty regarding the effectiveness of existing controls, top management
naturally wonder where to focus attention and set priorities. A risk assessment is usually the best place to start and this should
be based on analysis of the likelihood of different threats, vulnerability and impact. Consideration of the impact of security
threats should always be the responsibility of business management, who should ultimately sign-off acceptance of the risk
management plan. In practice, this is an area where the business needs to be more involved.
It will be helpful if the risk assessment can be converted to a financial value derived from the impact – even if this is only
approximate and based on rough estimates or scales – since decisions to improve security will usually be made based on
financial parameters.
A complimentary approach is to focus on establishing a security baseline irrespective of the risks – i.e. ensure that all the
basic measures are in place. This can be based on standard guidance such as the ISO17799 (www.iso.org) standard or freely
available guidance such as the CobiT Security Baseline (www.itgi.org). A key element of this approach is to create security
within the infrastructure, rather than on a piecemeal basis.
9.4 Roles and Responsibilities
“Executive management, information systems security professionals, data owners, process owners, technology providers,
users, and information systems auditors all have roles and responsibilities in ensuring the effectiveness of information
security. Due diligence must be exercised by all individuals involved in the management, use, design, development,
maintenance, operation, or monitoring of information systems.” (International Federation of Accounts (IFAC) Statement on
Managing Security of Information, 1998)
“Too often information security has been dealt with as a technology issue only, with little consideration given to enterprise
priorities and requirements. Responsibility for governing and managing the improvement of security has consequently been
limited to operational and technical managers.
However, for information security to be properly addressed, greater involvement of boards of directors, executive management
and business process owners is required. For information security to be properly implemented, skilled resources such as
information systems auditors, security professionals and technology providers need to be utilised. All interested parties should
be involved in the process.” 6
Specific roles:
A Forum or Council should be established to set policy, ensure that consensus is reached on where security investments
should be made, and for approving and overseeing execution of the risk management plan. The Forum should share
knowledge of IT and risks, be focused on business objectives not technical solutions and include representatives from key
business units, IT, internal audit and outsource suppliers. It should report into a governance board (or group IT board).
An IT Security Manager should be in place as an advisor to management and the project owner of security action plan.
However, care must be taken to avoid implying that security has now been dealt with by hiring such a person (when it is
everyone’s responsibility) or that this role relieves top management of their overall governance responsibilities. The role can
be part time and is often supported by external advisors. It is often part of a Risk Management function.
An Operational Team will be needed to maintain and monitor security processes and operate administrative procedures.
This is usually a technical function and it is increasingly being outsourced.
The Audit Function plays a key independent role in monitoring and assessing the adequacy of security within the
organisation.
A useful approach to improving the understanding, awareness and ownership of security within the business is to appoint
Information Security Coordinators.
It is critical to influence the Investors, Providers & Controllers positively so that they understand the objectives and
benefits of IT Governance and are able to communicate consistently to each other and within their groups. The table below
6. Information Security Governance: Guidance for Boards of Directors and Executive Management, the IT Governance Institute®.

IT Governance Developing a Successful Governance Strategy
50 51
summarises how IMPACT SIG members believe each group of stakeholders should focus on their security responsibilities
(Figure 9.4).
Third party security providers
Given that IT security is a specialised topic and there is a shortage of skills, organisations will often seek support from third
parties.
Information security specialists can play a key advisory role although governance and final decision-making must remain
in-house. There is also an opportunity for cost reduction compared with permanent in-house staff. Examples of outsourced
security activities include:
Te s t i n g ( e . g . f o l l o w i n g p a t c h e s )
Vu l n e r a b i l i t y t e s t i n g ( n o t e : P e n e t r a t i o n t e s t i n g m u s t b e p e r f o r m e d w i t h c a r e a s i t
m a y c r a s h t h e s y s t e m )
I n c i d e n t m a n a g e m e n t
Special care should be taken when dealing with outsourced suppliers:
C o n t r a c t o r s n e e d t o b e v e t t e d f o r s e c u r i t y p u r p o s e s
S u p p l i e r s d o h a v e a r e s p o n s i b i l i t y t o m a n a g e s e c u r i t y w i t h i n t h e i r o w n a c t i v i t i e s
– m a k e s u r e t h i s h a p p e n s
A l t h o u g h t h e s u p p l i e r h a s t o b e t r u s t e d t o c a r r y o u t c h e c k s , t h e c l i e n t m u s t e n s u r e
t h a t t h e n e c e s s a r y c h e c k s a r e i n p l a c e
R e g u l a t i o n s s u c h a s S a r b a n e s – O x l e y r e q u i r e s t h a t g o v e r n a n c e r e s p o n s i b i l i t y
r e m a i n s i n – h o u s e
Information Security Governance9
Who needs to be involved?
Investors Providers Controllers
• The Board
• IT Council/Management Team
• Senior business unit managers e.g. key
customers of IT services
• Business Partners
• External investors/shareholders – as part
of corporate governance
• Project and change managers (IT and
Business)
• Programme managers
• Business managers and users
• Technical delivery and support teams
• Key players e.g. Business sponsors,
Project champions
• Relationship managers and internal
communications teams
• Suppliers (especially outsourced service
providers)
• Contract and procurement management
• Peripheral players/influencers/Policy
owners e.g. HR, Facilities Management,
Legal
• Internal audit and external audit (due
diligence)
• External regulators
• Corporate governance coordinator
• Risk managers
• Compliance – regulatory and internal
• Finance/Project Managers/IT and
business managers – reviewers of
benefits/ROI
• Post investment appraisal/Post project
review teams
Key Security Responsibilities
• Risk sign-off
• Own the business case
• Set policy
• Define expectations and requirements
• Ensure legal and regulatory compliance
• Review performance
• Monitor delivery
• Quantify impact of risk
• Challenge the risk management plan
• Approve proposals and metrics
• Prioritise actions and investments
• Supply necessary resources
• Set culture and environment
• Risk analysis
• Design and implementation
• Creation of business cases – cost and
solution
• Security operations
• Security administration
• Monitoring security incidents
• Education and training (both IT and HR)
• Creation and maintenance of scorecards
for performance measurement
• Understand impact of regulations
• Monitor adequacy and performance of
controls (assessments and audits)
• Test actual performance of controls
• Monitor performance (execution of
improvements)
• Provide independent assurance to
management
Figure 9.4

IT Governance Developing a Successful Governance Strategy
52 53
9.5 Action planning and best practice
IMPACT SIG members suggest the following action steps be considered:
1. Classify objectives and actions into technical and non-technical areas
2. Ensure that an effective security policy is in place
3. Establish a security baseline
4. Cover key vulnerabilities
5. Communicate management concerns for security to ensure staff awareness
6. Focus on changes – evaluate and test for security exposures
7. Ensure that Board presentations emphasise security as an enabler and not as a disabler

IT Governance Developing a Successful Governance Strategy
52 53
10 Legal & Regulatory
Aspects of IT
Governance
10.1 Legal and regulatory factors affecting IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
10.2 Roles and responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
10.3 Best approach to compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
10.4 What IT has to do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
10.5 Dealing with third parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
10.6 Critical success factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
In recent years there has been a general increase in the number of regulations affecting the use of IT and also the number of situations where legal measures need to be considered. This is due to the need to guard against a wide range of new IT
related risks and from a general increase in corporate regulations.
The impact of not taking sufficient care over legal or regulatory requirements can be considerable including:
L o s s o f r e p u t a t i o n
I n a b i l i t y t o t r a d e
F i n a n c i a l p e n a l t i e s a n d l o s s e s
L o s s o f c o m p e t i t i v e a d v a n t a g e
L o s s o f o p p o r t u n i t y
On the other hand the benefit of complying with regulatory requirements and using legal measures to protect commercial
interests can be considerable, including:
G e n e r a l i m p r o v e m e n t i n o v e r a l l c o n t r o l o f I T r e l a t e d a c t i v i t i e s
R e d u c e d l o s s e s a n d a d m i n i s t r a t i v e c o s t s
M o r e e f f i c i e n t a n d e f f e c t i v e n e g o t i a t i o n o f c o m m e r c i a l t r a n s a c t i o n s
A g r e a t e r a b i l i t y a n d c o n f i d e n c e t o t a k e r i s k s – b e c a u s e s e n i o r m a n a g e m e n t f e e l
m o r e i n c o n t r o l
There are a wide range of laws and regulations, some specific to industry sectors that can have an impact on IT. Every
organisation must identify the specific regulations affecting them and respond accordingly, and ensure that the roles and
responsibilities for understanding legal and regulatory matters are properly defined for each group of stakeholder so that each
group can apply its specific expertise effectively. External advice must be sought whenever the issues are sufficiently risky
or complex.
Every organisation relies on a growing number of third parties for support of IT services. From a legal and regulatory
perspective this means that there is potentially a complex hierarchy of responsibilities that combine to meet the legal and
regulatory needs of the customer. Ultimately it is the customer’s responsibility to ensure that all the right controls are in place
with any third party that is relied upon for legal and regulatory compliance.
10.1 Legal and regulatory factors affecting IT Governance
The recent increase in the number of regulations affecting the use of IT is due to a number of factors, including:
Legal & Regulatory Aspects of IT Governance10

IT Governance Developing a Successful Governance Strategy
54 55
A g r e a t e r i n t e r e s t b y r e g u l a t o r s i n t h e o p e r a t i o n s o f a l l
o r g a n i s a t i o n s c a u s e d b y m a j o r c o r p o r a t e f i n a n c i a l f a i l u r e s a n d
s c a n d a l s , w h i c h i s r e s u l t i n g i n r e g u l a t i o n s l i k e t h e U S S a r b a n e s –
O x l e y A c t f o r c i n g B o a r d s o f D i r e c t o r s t o e x p r e s s o p i n i o n s a b o u t
t h e i r s y s t e m s o f c o n t r o l .
C o n c e r n s a b o u t s e c u r i t y a n d p r i v a c y f u e l e d b y t h e o v e r a l l
i n c r e a s e i n u s e o f c o m p u t e r s a n d n e t w o r k s a n d t h e i m p a c t o f t h e
I n t e r n e t .
L a w s t o p r o t e c t p e r s o n a l i n f o r m a t i o n a n d i t s p o t e n t i a l m i s u s e i n
e l e c t r o n i c f o r m .
A g r o w t h i n t h e u s e o f c o m p u t e r s y s t e m s a n d n e t w o r k s f o r
c r i m i n a l a c t i v i t y a n d t e r r o r i s m , i n c l u d i n g v i r u s e s , h a c k i n g ,
m o n e y l a u n d e r i n g a n d p o r n o g r a p h y e t c .
A g r o w t h i n c o m p l e x c o n t r a c t u a l r e l a t i o n s h i p s f o r I T s e r v i c e s
a n d p r o d u c t s ( o u t s o u r c i n g , m a n a g e d s e r v i c e s , p r o d u c t l i c e n s e s
e t c . ) .
T h e g r o w t h i n a l l f o r m s o f e l e c t r o n i c m e d i a a n d t h e p o t e n t i a l
f o r m i s u s e o f v a l u a b l e i n f o r m a t i o n a s s e t s , r e s u l t i n g i n c o p y r i g h t
a n d i n t e l l e c t u a l p r o p e r t y i s s u e s o f c o n c e r n t o b o t h v e n d o r s a n d
u s e r s .
What might appear to be an initial regulatory burden can become an opportunity to transform to better
managed practices if the rules are used positively and applied productively. Corporate regulations like
the Sarbanes-Oxley Act can be just a minimalist compliance procedure with no potential benefit to the
business or be used as an opportunity to invest in better IT controls. Compliance with IT-related legal and
regulatory requirements and the effective use of legal contracts are clearly part of the effective control and
oversight of IT activities by senior management and therefore key aspects of IT Governance.
There are a wide range of laws and regulations, some specific to industry sectors, that can have an impact
on IT. Every organisation must identify the specific regulations affecting them and respond accordingly.
The IMPACT SIG has identified the following areas that ought to be considered:
P e r s o n a l d a t a a n d p r i v a c y
C o r p o r a t e G o v e r n a n c e , f i n a n c i a l r e p o r t i n g , s t o c k m a r k e t
r e q u i r e m e n t s
M o n e y l a u n d e r i n g , a n d o t h e r c r i m i n a l a c t s
I n t e l l e c t u a l P r o p e r t y, Tr a d e m a r k s a n d C o p y r i g h t
E l e c t r o n i c c o m m u n i c a t i o n , s i g n a t u r e s e t c .
E l e c t r o n i c c o m m e r c e
E m a i l m o n i t o r i n g , a p p r o p r i a t e u s e a n d c o n f i d e n t i a l i t y
E m a i l d e f a m a t i o n
D o c u m e n t a n d r e c o r d r e t e n t i o n
I T p r o d u c t s a n d s e r v i c e s c o n t r a c t s
S e c t o r s p e c i f i c r e g u l a t i o n s e . g . f i n a n c i a l , h e a l t h , p h a r m a c e u t i c a l
e t c .
10.2 Roles and Responsibilities
Dealing with legal and regulatory requirements and knowing how best to use legal contracts can be
challenging for IT experts who are not knowledgeable about legal matters, and for business managers
who may not appreciate all the legal risks and issues associated with the use of advanced technology.
Organisations should therefore ensure that the roles and responsibilities for understanding legal and
regulatory matters are properly defined for each group of stakeholder so that each group can apply its
specific expertise effectively. External advice must be sought whenever the issues are sufficiently risky
or complex.

IT Governance Developing a Successful Governance Strategy
54 55
10.3 Best approach to compliance
Ideally organisations should deal with legal and regulatory requirements on a “business as usual” basis instead of reacting on
a case-by-case basis.
In practice, it is recommended that a framework for dealing with legal and regulatory issues be established. Because
IT is fast changing and new regulations are also emerging, any such framework must be flexible and responsive to new
requirements.
Legal & Regulatory Aspects of IT Governance10
Who needs to be involved?
Investors Providers Controllers
• The Board
• IT Council/Management Team
• Senior business unit managers e.g. key
customers of IT services
• Business Partners
• External investors/shareholders – as part of
corporate governance
• Project and change managers (IT and
Business)
• Project and change managers (IT and
Business)
• Programme managers
• Business managers and users
• Technical delivery and support teams
• Key players e.g. Business sponsors, Project
champions
• Relationship managers and internal
communications teams
• Suppliers (especially outsourced service
providers)
• Contract and procurement management
• Peripheral players/influencers/Policy owners
e.g. HR, Facilities Management, Legal
• Internal audit and external audit (due
diligence)
• External regulators
• Corporate governance coordinator
• Risk managers
• Compliance – regulatory and internal
• Finance/Project Managers/IT and business
managers – reviewers of benefits/ROI
• Post investment appraisal/Post project
review teams
Legal and Regulatory Responsibilities
• Understand requirements (what regulations
are to be complied with)
• Set the mandate
• Set priorities and expectations
• Establish and ensure the expected degree of
compliance
• Based on advice concerning risk and cost:
• Assess impact on business
• Provide resource and funding to ensure
issues are addressed
• Define who is accountable
• Obtain internal or external assurance as
required that issues have been addressed
and controls established
• Monitor and evaluate compliance
programmes and significant commercial
contracts
• Sign off specific compliance programmes
• Provide approvals when required for
significant legal or regulatory decisions
• Advise on IT related technical and
commercial risks that could impact legal and
regulatory requirements
• Provide proposals and business cases for
legal and regulatory programmes, projects or
action plans
• Formulate solutions for compliance or
commercial contracts
• Identify best practices for ongoing good
control of legal and regulatory requirements
• Exploit technology and tools where
appropriate for ensuring compliance (e.g.
asset registers)
• Execution of compliance and contractual
processes, and operation of elated controls
• Provide compliance framework to ensure a
sustainable “business as usual” approach to
compliance
• Provide evidence of compliance
• Provide information relating to the cost of
compliance and also cost of any incidents
• Evaluate impact on business environment
together with business units
• Ensure vendors, service providers, and
subcontractors are involved properly and
integrated within the overall compliance
approach
• Maintain awareness of current and emerging
laws, and regulations affecting IT to assess
their impact on the organisation’s business
• Develop an understanding of their impact on
the organisation and advise accordingly on
“what is needed” – not necessarily “how”
• Monitor adequacy of controls and
compliance processes
• Monitor the business and IT functions
for performance in meeting legal and
regulatory requirements and report back
to management with advice regarding any
shortcomings
• Provide independent assurance to
management that adequate controls are
in place to deal with legal and regulatory
requirements
Table 10.2

IT Governance Developing a Successful Governance Strategy
56 57
Figure 10.3 illustrates a common problem when new regulatory requirements are imposed. To be effectively handled the
decisions concerning the regulation should be taken at the level at which business objectives are set and within the group or
business risk framework. This is the necessary level at which priorities can be determined and the standards framework can
be applied.
However, as illustrated, a special programme is frequently set up outside the remit of existing standards and governance in
the hope that the new regulatory environment can be incorporated. This is usually unsuccessful or inefficient because outside
of existing governance it is very difficult to allocate and establish responsibilities for monitoring and testing. Similarly, there
can be no clear prioritisation or co-ordination among different regulatory requirements. Conversely, when the left-hand route
is followed and a new regulation comes into force, it is possible to identify where there are already procedures in place that
enable the new requirements to be met.
For complex IT environments, the importance of the framework is emphasised by the need to understand which standards
affect which systems. Then it becomes possible to address all the relevant systems when standards have to change:
C o n s i d e r r e g u l a t o r y i s s u e s t o g e t h e r
D o n o t s e t u p s e p a r a t e p r o j e c t s w h i c h m a y c o n f l i c t w i t h t h e s t a n d a r d a p p r o a c h
D e c i s i o n m a k i n g m u s t r e s t w i t h t h e b u s i n e s s i n t e r m s o f t h e e x t e n t a n d n a t u r e o f
c o m p l i a n c e
10.4 What IT has to do
Historically, most IT people did not think about compliance- except in terms of good practice, because regulations rarely
impacted the technical environment. Gradually this has changed, first with IT specific legislation like the Data Protection act,
and most recently by the realisation that corporate level regulations like Sarbanes-Oxley must be inextricably linked to the IT
systems because corporate information and financial reporting has become so automated.
Figure 10.3

IT Governance Developing a Successful Governance Strategy
56 57
In addition, due to the very significant cost of IT investments, and the complexity of customer and supplier relationships,
legal contracts for IT services are being given much more careful attention. These contracts in turn demand greater controls
be demonstrated by the parties to the contract, over many issues such as security, intellectual property, service availability,
ownership of deliverables, support of products etc.
As a consequence, IT service providers, vendors, and internal IT functions are all realising that they must be better organised
from a control and compliance perspective. It is only a relatively recent realisation that IT related controls should be
documented and monitored by IT functions, increasingly driven by regulatory pressure.
Business objectives and processes should drive the system of internal control and therefore the documentation process. The
flow should be:
For an efficient and effective compliance process, the documentation should be in a language that auditors would use, and
therefore it is best to work with the audit community and adopt a common language and approach such as CobiT.
IT functions increasingly need to be more involved in legal and regulatory requirements and should:
W o r k w i t h t h e b u s i n e s s u s e r s a n d r i s k m a n a g e m e n t g r o u p s t o i d e n t i f y c r i t i c a l
s y s t e m s a n d c o m p l i a n c e p r i o r i t i e s .
D o c u m e n t a r c h i t e c t u r e s s o t h a t t h e o v e r a l l e n v i r o n m e n t i s u n d e r s t o o d o n a
c o n t i n u o u s b a s i s .
D e f i n e p r o c e s s e s i n I T i n a l o g i c a l w e l l o r d e r e d f a s h i o n , m e a n i n g f u l t o a u d i t o r s a n d
m a n a g e m e n t ( e . g . b a s e d o n C o b i T ) .
A p p o i n t p r o c e s s o w n e r s s o t h e r e i s a c c o u n t a b i l i t y a n d r e s p o n s i b i l i t y.
U n d e r s t a n d c o n t r o l c o n c e p t s , t h e n e e d f o r I T c o n t r o l s , a n d h o w t h e y r e l a t e t o
b u s i n e s s l e v e l c o n t r o l s .
D o c u m e n t t h e s e p r o c e s s e s a n d c o n t r o l s ( e s p e c i a l l y f o r c o m p l i a n c e c r i t i c a l s y s t e m s ) ,
a n d m a i n t a i n t h e d o c u m e n t a t i o n a s c h a n g e s o c c u r.
Legal & Regulatory Aspects of IT Governance10
Figure 10.4

IT Governance Developing a Successful Governance Strategy
58 59
S t a n d a r d i s e w h e r e v e r p o s s i b l e t o a v o i d d u p l i c a t i o n o f e f f o r t .
M a i n t a i n e v i d e n c e o f c o n t r o l s b e i n g e x e r c i s e d t o b e b e t t e r a b l e t o d e m o n s t r a t e
c o m p l i a n c e .
G e n e r a t e b u s i n e s s b e n e f i t s f r o m t h e c o n t r o l a n d c o m p l i a n c e p r o j e c t s b y p e r f o r m i n g
g a p a n a l y s e s t o d r i v e i m p r o v e m e n t s a n d e f f i c i e n c i e s a s w e l l a s b u i l d i n g g o o d
c o n t r o l s .
C o n s i d e r t h e w h o l e i n f r a s t r u c t u r e r a t h e r t h a n t a c k l i n g i t e m s o n a p i e c e m e a l b a s i s .
B e r e s p o n s i b l e f o r d i l i g e n t p r o c u r e m e n t a n d p r o p e r c o n t r o l a n d m a n a g e m e n t o f t h i r d
p a r t i e s .
To achieve these objectives:
I T s h o u l d s e e k a d v i c e f r o m H R , L e g a l , a n d A u d i t , a n d i f n e c e s s a r y e x t e r n a l
e x p e r t s .
A d o p t s t a n d a r d a p p r o a c h e s a n d b e s t p r a c t i c e s – d o n ’ t a t t e m p t t o r e i n v e n t t h e w h e e l
a s i t w a s t e s t i m e a n d m a k e s w o r k i n g w i t h p a r t n e r s a n d a u d i t o r s m u c h l e s s e f f e c t i v e
( c o m p a r e w i t h a c c o u n t i n g – s t a n d a r d p r o c e d u r e s a r e e s s e n t i a l ) .
B u i l d i n t h e n e e d f o r t h i r d p a r t y t e s t i n g a s r e q u i r e d .
10.5 Dealing with third parties
Every organisation relies on a growing number of third parties for support of IT services. From a legal and regulatory
perspective this means that there is potentially a complex hierarchy of responsibilities that combine to meet the legal and
regulatory needs of the customer. Ultimately it is the customer’s responsibility to ensure that all the right controls are in place
with any third party that is relied upon for legal and regulatory compliance.
Conversely, service providers have their own corporate governance agenda, combined with the pressures of their business
models – usually to provide a better service at a lower cost than the customer had previously experienced:
T h e y h a v e t o w o r k w i t h d i f f e r i n g g o v e r n a n c e m o d e l s o f b u s i n e s s p a r t n e r s a n d
c l i e n t s .
I n t h e o r y t h e y m i g h t u s e a s t a n d a r d m o d e l a c r o s s a l l b u t i n p r a c t i c e t h i s i s
u n l i k e l y.
– L a r g e c l i e n t s , i n p a r t i c u l a r, a r e u n w i l l i n g t o c h a n g e t h e i r o w n m o d e l .
– C l i e n t s c a n n o t b e o b l i g e d t o d o b u s i n e s s i n a w a y s p e c i f i e d b y t h e p r o v i d e r.
The outsourcer or provider may not ensure full coverage of legal and regulatory requirements:
T h e c u s t o m e r m a y g o t o t h e p r o v i d e r a n d s p e c i f y w h a t i s r e q u i r e d o r p r o v i d e a
q u e s t i o n n a i r e , b u t t h e p r o v i d e r m a y s t i l l n o t h a v e t a k e n a c t i o n h i m s e l f o r k n o w w h a t
i s r e q u i r e d .
P e o p l e w h o n e g o t i a t e o u t s o u r c i n g c o n t r a c t s a r e u s u a l l y a t a c o m m e r c i a l b u s i n e s s
l e v e l , n o t d r i v e n b y c o n t r o l s a n d c o m p l i a n c e i s s u e s .
In order for both sides to be clear on responsibilities it is essential that sufficient in-house capability is retained. Most
organisations actually get more rigour when they outsource but most contracts are built around existing operations with all
their limitations. The onus should be on the provider to spell out the risks – but the provider will not improve controls unless
paid to do so, or can see a commercial benefit in making the necessary investment.
Legally there is a standard reasonable expectation of basic service, and ultimately it is a question of negligence if controls
were not operated properly.
The provider is unlikely to provide a higher level of control in specific situations (such as security) than the client had originally
operated himself – but must have nevertheless an adequate set of controls. Special requirements such as vulnerability testing
will not normally be seen as part of a contract unless formally requested and paid for.

IT Governance Developing a Successful Governance Strategy
58 59
10.6 Critical success factors
The IMPACT SIG identified the following success factors to enable effective ongoing legal and regulatory compliance and
proper control of legal contracts:
E s t a b l i s h t h e r i g h t c u l t u r e t o e n c o u r a g e d i l i g e n c e a n d g o o d c o n t r o l s
C o m m u n i c a t i o n t h r o u g h o u t t h e o r g a n i s a t i o n b a s e d o n a B o a r d l e v e l m a n d a t e i s
e s s e n t i a l t o m a k e s u r e e v e r y o n e t a k e s t h e i s s u e s s e r i o u s l y a n d u n i f o r m l y
I n v o l v e t h e r i g h t p e o p l e a s a d v i s o r s b u t d o n o t a b d i c a t e r e s p o n s i b i l i t y
R e t a i n i n g r e s p o n s i b i l i t y f o r c o n t r o l a n d c o m p l i a n c e w h e n u s i n g s e r v i c e p r o v i d e r s
S t a n d a r d i s a t i o n a n d a c o m m o n a p p r o a c h i s t h e m o s t e f f e c t i v e a n d e f f i c i e n t w a y t o
m e e t c o m p l i a n c e r e q u i r e m e n t s
U s e f r a m e w o r k s a n d a c c e p t e d c o m p l i a n c e m o d e l s e s p e c i a l l y t h o s e a c c e p t e d b y
a u d i t o r s
I n t e g r a t e c o m p l i a n c e o b j e c t i v e s i n t o t h e I T s t r a t e g y
E n s u r e m a n a g e m e n t a r e a c t i v e l y i n v o l v e d – n o t j u s t p e r f o r m i n g a s i g n – o f f a t t h e
e n d
– S e t t h e t o n e a t t h e t o p
I n s t i t u t i o n a l i s e c o m p l i a n c e b e h a v i o u r
– E n g a g e t h e g o v e r n a n c e a n d r i s k m a n a g e m e n t g r o u p s ( t h o s e w h o o w n t h e
f r a m e w o r k ) a s s o o n a s p o s s i b l e
– P r o v i d e a p o s i t i v e s p i n – g o o d c o n t r o l s c a n b e v e r y b e n e f i c i a l
– M a k e c o m p l i a n c e n o r m a l b u s i n e s s p r a c t i c e r a t h e r t h a n a p r o j e c t
M a k e c o m p l i a n c e m e a n i n g f u l a n d r e l e v a n t
– Tr a n s l a t e i n t o n o r m a l l a n g u a g e
– E x p l a i n b u s i n e s s c o n t e x t
– C a r r y o u t a w a r e n e s s t r a i n i n g
E s t a b l i s h m e c h a n i s m s f o r e v i d e n c e a n d d o c u m e n t a t i o n
E s t a b l i s h m e t r i c s f o r m o n i t o r i n g p e r f o r m a n c e
C r e a t e i n c e n t i v e s a n d / o r p e n a l t i e s a s p a r t o f p e r s o n a l o b j e c t i v e s
D o r e g u l a r c o m p l i a n c e c h e c k i n g a n d t e s t s
D o r e g u l a r r e v i e w o f r i s k s ( i n c l u d e 3 r d p a r t i e s )
H a v e g o o d i n c i d e n t m a n a g e m e n t p r o c e d u r e s t o l e a r n f r o m l e g a l a n d r e g u l a t o r y
i n c i d e n t s
Legal & Regulatory Aspects of IT Governance10

IT Governance Developing a Successful Governance Strategy
60 61
11 Architecture Governance
11.1 Why is Architecture Governance important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
11.2 What are the objectives of Architecture Governance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Given the complexity and fast-changing nature of IT, architectures are important for defining technical direction, captured in a formal design that will support evolution and change, based on generally accepted standards as well as specific
design standards. Architecture governance is therefore to do with ensuring that the principles of architectures are properly
applied to the design and maintenance of information systems, meeting technical design standards as well as the business
purpose and strategic objectives for IT.
There are generally three overall end goals with respect to architecture governance:
B u s i n e s s a n d I T A l i g n m e n t ( f i t f o r p u r p o s e )
R i s k M a n a g e m e n t ( r e d u c e d l i k e l i h o o d o f d e s i g n f a i l u r e s )
R e s o u r c e M a n a g e m e n t ( c o s t e f f e c t i v e n e s s a n d v a l u e f o r m o n e y )
The process of determining technological direction via an IT Architecture satisfies the business requirement to take advantage
of available and emerging technology to drive and make possible the business strategy. This is enabled by creation and
maintenance of a technological infrastructure plan that sets and manages clear and realistic expectations and standards, of
what technology can offer in terms of products, services and delivery mechanisms. Given the significant amount of outsourcing
of IT services, the effective governance of architectures in these situations is a key consideration. The business strategy may
depend on an effective IT architecture, but who defines the architecture in the outsourced situation? The customer should
always take control of his own requirements including architectural decisions even if the provider offers existing solutions
and approaches. Senior management may assume that providers will develop technology to improve productivity – this is
not always the case. A capability for setting the direction for technology improvement should be retained in house and often
contracts will call for customers to control their own technical direction. Cost will usually be the driving factor in contractual
arrangements – who will pay for architectural upgrades?
The group identified the following critical success factors for achieving architectural governance:
E n s u r e t h a t t h e A r c h i t e c t u r e p r o c e s s a n d i t s g o v e r n a n c e i s a d e q u a t e l y f u n d e d
E n s u r e g o o d c o m m u n i c a t i o n s a m o n g a l l t h e g r o u p s c o n c e r n e d
A l i g n t h e a r c h i t e c t u r e w i t h t h e b u s i n e s s s t r a t e g y a n d t h e c u l t u r e o f t h e
o r g a n i s a t i o n
R e c o g n i s e t h a t p e r s u a s i o n i s a l w a y s n e e d e d f o r c o m p l i a n c e a n d t h a t t h i s c a n b e
e n h a n c e d b y a c t i v e p r o j e c t i n v o l v e m e n t , t e c h n i c a l c o n s u l t a n c y, p r o v i s i o n o f r e a d i l y –
a v a i l a b l e , c o s t – e f f e c t i v e t o o l – k i t s a n d c o m p o n e n t s
S h a r e a l l a r t e f a c t s w i t h o u t s o u r c e p r o v i d e r s
11.1 Why is Architecture Governance important?
Architecture (in Greek αρχή = first and τέχνη = craftsmanship) is the art and science of designing structures. In the context
of computers, the term architecture is used to describe the technical design and interoperability of components that together
make up the information system i.e. hardware, software and network components.
Given the complexity and fast-changing nature of IT, architectures are important for defining technical direction, captured in
a formal design that will support evolution and change, based on generally accepted standards as well as specific design
standards. There is an analogy with the original use of architectures for defining the design of buildings – providing the
blueprint that demonstrates what the end product should look like, that it is formed on a solid foundation, that it is built
according to defined design standards, and that it meets the purpose for which it was intended.
Architecture governance is therefore to do with ensuring that the principles of architectures are properly applied to the
design and maintenance of information systems, meeting technical design standards as well as the business purpose and
strategic objectives for IT. The IT Governance and Technical Architecture SIG members believe that in many organisations the

IT Governance Developing a Successful Governance Strategy
60 61
challenge is to commit to a properly funded and business driven architectural approach. Often it is treated as too technical an
activity, with inadequate or insufficiently skilled resources, and with limited business and top management direction.
The group assessed the maturity of Architectural activities based on the CobiT® maturity model (see Appendix). This
assesses maturity on a scale from 0 to 5. An analysis of the maturity level of the organisations represented showed the
following:
C u r r e n t m a t u r i t y r a n g e d f r o m 1 + t o 4
– I n l a r g e r o r g a n i s a t i o n s t h e r e w a s a s p r e a d ( e . g . f r o m 2 t o 4 ) a c r o s s t h e d i f f e r e n t
p a r t s o f t h e o r g a n i s a t i o n
– T h e l o w e s t m a t u r i t y w a s i n a b u s i n e s s w h e r e I T h a d r e c e n t l y b e e n o u t s o u r c e d
T h e m a t u r i t y l e v e l a s p i r e d t o w a s b e t w e e n 3 + a n d 4
– N o o r g a n i s a t i o n s a w l e v e l 5 a s n e c e s s a r y
11.2 What are the objectives of Architecture Governance?
The definitions CobiT® provides for setting technical direction were used to help define the purpose of Architecture
Governance:
The process of determining technological direction via an IT Architecture satisfies the business requirement to take advantage
of available and emerging technology to drive and make possible the business strategy. This is enabled by creation and
maintenance of a technological infrastructure plan that sets and manages clear and realistic expectations and standards of
what technology can offer in terms of products, services and delivery mechanisms.
It considers:
C a p a b i l i t y o f c u r r e n t i n f r a s t r u c t u r e
M o n i t o r i n g t e c h n o l o g y d e v e l o p m e n t s v i a r e l i a b l e s o u r c e s
C o n d u c t i n g p r o o f – o f – c o n c e p t s
R i s k , c o n s t r a i n t s a n d o p p o r t u n i t i e s
A c q u i s i t i o n p l a n s
M i g r a t i o n s t r a t e g y a n d r o a d m a p s
Ve n d o r r e l a t i o n s h i p s
I n d e p e n d e n t t e c h n o l o g y r e a s s e s s m e n t
H a r d w a r e a n d s o f t w a r e p r i c e / p e r f o r m a n c e c h a n g e s
Covering the following activities:
Te c h n o l o g i c a l i n f r a s t r u c t u r e p l a n n i n g
M o n i t o r i n g f u t u r e t r e n d s a n d r e g u l a t i o n s
A s s e s s i n g t e c h n o l o g i c a l c o n t i n g e n c y
P l a n n i n g h a r d w a r e a n d s o f t w a r e a c q u i s i t i o n s
D e f i n i n g t e c h n o l o g y s t a n d a r d s
The group believe that measurement of these activities is difficult and may often rely on perception of trends.
CobiT® suggests focusing on these key measurable outcomes:
N u m b e r o f t e c h n o l o g y s o l u t i o n s t h a t a r e n o t a l i g n e d w i t h t h e b u s i n e s s s t r a t e g y
P e r c e n t o f n o n – c o m p l i a n t t e c h n o l o g y p r o j e c t s p l a n n e d
N u m b e r o f n o n – c o m p a t i b l e t e c h n o l o g i e s a n d p l a t f o r m s
D e c r e a s e d n u m b e r o f t e c h n o l o g y p l a t f o r m s t o m a i n t a i n
R e d u c e d a p p l i c a t i o n s d e p l o y m e n t e f f o r t a n d t i m e – t o – m a r k e t
I n c r e a s e d i n t e r o p e r a b i l i t y b e t w e e n s y s t e m s a n d a p p l i c a t i o n s
And these performance measures:
P e r c e n t o f I T b u d g e t a s s i g n e d t o t e c h n o l o g y i n f r a s t r u c t u r e a n d r e s e a r c h
N u m b e r o f m o n t h s s i n c e t h e l a s t t e c h n o l o g y i n f r a s t r u c t u r e r e v i e w
B u s i n e s s f u n c t i o n s ’ s a t i s f a c t i o n w i t h t h e t i m e l y i d e n t i f i c a t i o n a n d a n a l y s i s o f
t e c h n o l o g i c a l o p p o r t u n i t i e s
P e r c e n t o f t e c h n o l o g i c a l d o m a i n s w i t h i n t h e t e c h n o l o g y i n f r a s t r u c t u r e p l a n t h a t h a v e
s u b – p l a n s s p e c i f y i n g c u r r e n t s t a t e , v i s i o n s t a t e a n d i m p l e m e n t a t i o n r o a d m a p s
Av e r a g e l e n g t h o f t i m e b e t w e e n t h e i d e n t i f i c a t i o n o f p o t e n t i a l l y r e l e v a n t n e w
t e c h n o l o g y a n d t h e d e c i s i o n a s t o w h a t t o d o w i t h t h a t t e c h n o l o g y
The Open Group (www.opengroup.org) defines an Architecture Governance Framework which covers:
Architecture Governance11

IT Governance Developing a Successful Governance Strategy
62 63
G o v e r n a n c e p r o c e s s e s
P o l i c y m a n a g e m e n t
C o m p l i a n c e a s s e s s m e n t s
D i s p e n s a t i o n p r o c e d u r e s
M o n i t o r i n g a n d r e p o r t i n g
B u s i n e s s c o n t r o l ( c o m p l i a n c e w i t h t h e o r g a n i s a t i o n ’s b u s i n e s s p o l i c i e s )
E n v i r o n m e n t m a n a g e m e n t ( t h e p h y s i c a l a n d l o g i c a l r e p o s i t o r y m a n a g e m e n t ) a n d
g o v e r n a n c e e n v i r o n m e n t ( a d m i n i s t r a t i v e p r o c e s s e s ) .
Given the significant amount of outsourcing of IT services, the effective governance of architectures in these situations is a
key consideration. The business strategy may depend on an effective IT architecture, but who defines the architecture in the
outsourced situation? The customer should always take control of his own requirements including architectural decisions
even if the provider offers existing solutions and approaches. Unfortunately, weaknesses and bad practices in outsourcing
arrangements can lead to architectural misunderstandings or restrictions that can be costly or damaging to business
performance. On the other hand the provider may enable a customer to adopt a proven, reliable architecture at much lower
cost and in much faster timescales than agreeing and developing a solution in house (for example hosting services).
Senior management may assume that providers will develop technology to improve productivity – this is not always the case.
A capability for setting the direction for technology improvement should be retained in house and often contracts will call for
customers to control their own technical direction. Cost will usually be the driving factor in contractual arrangements – who will
pay for architectural upgrades? Even when improvements are called for by the contract, they may not be provided.

IT Governance Developing a Successful Governance Strategy
62 63
12 Managing the IT investment
12.1 Why is managing the IT investment important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
12.2 Portfolio management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
12.3 Benefits management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
12.4 Measuring investment performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
12.5 Improving value delivery and ROI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
12.6 Measuring and controlling IT operational costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
12.7 Project risk managment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Ensuring that value is obtained from investment in information technology is an essential component of IT governance. No investment, whether IT-related or not, should be undertaken without full knowledge of the expected cost and the
anticipated return. Expected return should always be related to risk as, given the higher likelihood of failure, high-risk projects
should always have an anticipation of a higher return. Ensuring that the right projects are approved in the first place implies
a need for accurate predictive costing of the total project across its lifetime and robust predictions of the potential return,
including quantification of the direct and indirect benefits. To ensure that the total process works and becomes part of the
culture of the organisation, it is essential to establish proper tracking mechanisms to determine the actual value delivered and
enable accountability.
Given the volatility of a portfolio of IT-related business projects, it is essential to embed active portfolio management into the
organisation to maximise value creation and minimise the risk of value destruction. As with any aspect of IT governance, the
process needs visibility, leadership and commitment from the top.
12.1 Why is managing the IT investment important?
“The basic principles of IT value are the on-time and within-budget delivery of appropriate quality, which achieves the benefits
that were promised. In business terms, this is often translated into: competitive advantage, elapsed time for order/service
fulfilment, customer satisfaction, customer wait time, employee productivity and profitability. Several of these elements are
either subjective or difficult to measure, something all stakeholders need to understand. Often, top management and boards
fear to start major IT investments because of the size of investment and the uncertainty of the outcome. For effective IT value
delivery to be achieved, both the actual costs and the return on investment need to be managed” (ITGI Board Briefing V2
2004).
20% of all expenditure on IT is wasted7, representing, on a global basis, annual value destruction of US$500bn according
to a 2002 Gartner paper (Gartner, ‘The Elusive Business Value of IT’, August 2002). It is then no surprise that there is an
increasing demand from boards and executive management for generally accepted guidelines for investment decision-making
and benefit realisation. While particularly applicable to IT-enabled business investments, where IT is a means to an end, the
need is equally applicable to all investment decisions. In the case of IT, the ‘’end” is to contribute to the process of value
creation in the enterprise.
IT-enabled business investments, when managed well within an effective governance framework, provide organisations
with significant opportunities to create value. Without effective governance and good management, they provide an equally
significant opportunity to destroy value. Horror stories abound around the value destruction suffered by major organisations
through the failed implementation of IT enabled business investments. Nike reportedly lost more than US$200m through
difficulties experienced in implementing its supply chain software, failures in IT enabled logistics systems at MFI and
Sainsbury in the UK led to multi-million pound write-offs, profit warnings and erosion of share price. Other organisations have
suffered in a similar fashion.
On the other hand, many successful organisations have created value through selection of the right investments, and
successfully managing them through implementation to realising the expected value. Examples include IBM who reportedly
was able to save more than US$12bn over two years by linking disparate pieces of its supply chain and thereby reducing
inventory levels, and Southwest Airlines who were able to reduce procurement costs and increase service levels through their
supply chain transformation project.
Managing the IT Investment12
7. IT Governance Institute® research on IT Value.

IT Governance Developing a Successful Governance Strategy
64 65
The message is clear. IT-enabled business investments can bring huge rewards with the right governance and management
processes and full commitment from all management levels. The process for managing IT investments can be summarised
as developing, implementing, operating and maintaining financial controls over IT investments and expenditures in line with
the IT strategic and tactical plans. Essential elements in this process are benefit and cost justification, budget ownership and
accountability and control of actual spending. The process should enable the effective and efficient use of IT resources and
provides transparency and accountability into the benefit realisation, total cost of ownership and return on investment of IT.
The role of IT Councils
Organisations should establish an IT Council (or Strategy Committee or similar group) at board level to ensure that IT
governance, as part of corporate governance, is adequately addressed. This committee reviews major investments on behalf
of the full board and advises on strategic direction. Below this committee an IT steering committee (or equivalent) should be
established to oversee the IT function and its activities and developing IT plans. The committee should determine prioritisation
of IT resources and projects in line with business needs and should be composed of executive management, business and IT
representatives. This committee structure will provide the oversight and direction of IT investments, ensuring accountability at
senior level and proper involvement of all stakeholders.
12.2 Portfolio management
Portfolio management is a good practice for coordinating any group of investments and can be effectively applied to IT
investments. It consists of:
W o r k i n g w i t h t h e b u s i n e s s t o e s t a b l i s h a n d m a i n t a i n a p o r t f o l i o o f n e w a n d e x i s t i n g
I T- e n a b l e d i n v e s t m e n t p r o g r a m m e s t h a t a r e n e e d e d t o a c h i e v e b u s i n e s s g o a l s
a n d w h i c h , t o g e t h e r w i t h e x i s t i n g I T s e r v i c e s a n d a s s e t s , f o r m t h e b a s i s o f t h e I T
b u d g e t .
B u i l d i n g a p o r t f o l i o t h a t r e c o g n i s e s t h a t t h e r e w i l l b e a v a r i e t y o f c a t e g o r i e s o f
i n v e s t m e n t w h i c h w i l l d i f f e r b o t h i n c o m p l e x i t y a n d i n t h e d e g r e e o f f r e e d o m i n
a l l o c a t i n g f u n d s .
A l i g n i n g t h e p o r t f o l i o w i t h t h e s t r a t e g i c d i r e c t i o n o f t h e e n t e r p r i s e i n o r d e r t o
a c h i e v e t h e r i g h t b a l a n c e o f i n v e s t m e n t s .
H a v i n g e v a l u a t i o n c r i t e r i a i n p l a c e t h a t s h o u l d i n c l u d e , a t a m i n i m u m : a l i g n m e n t
w i t h t h e e n t e r p r i s e ’s s t r a t e g i c o b j e c t i v e s ; f i n a n c i a l w o r t h ( a s d e t e r m i n e d b y t h e
p r a c t i c e s o f e a c h e n t e r p r i s e ) ; a n d r i s k , b o t h d e l i v e r y r i s k ( t h e r i s k o f n o t d e l i v e r i n g
a c a p a b i l i t y ) a n d b e n e f i t s r i s k ( t h e r i s k o f n o t r e a l i s i n g t h e e x p e c t e d b e n e f i t f r o m t h e
c a p a b i l i t y ) .
I m p l e m e n t i n g a d e c i s i o n – m a k i n g p r o c e s s t o p r i o r i t i s e t h e a l l o c a t i o n o f r e s o u r c e s
f o r I T o p e r a t i o n s , m a i n t e n a n c e a n d s y s t e m s d e v e l o p m e n t i n o r d e r t o m a n a g e a n d
d e l i v e r a n o p t i m a l r e t u r n o n t h e I T p o r t f o l i o .
Portfolio management is needed to balance and prioritise between new projects and the operating costs of existing systems.
It can lead to possible savings on operating costs – e.g. via outsourcing or establishing shared services. Real portfolio
management implies a group at the top with an overview of priorities and what is needed – otherwise decisions will be based
on relationships and sometimes “who shouts loudest” rather than an objective analysis. Portfolio management should focus on
the total ongoing commitment not only the cost of the initial implementation. Managing portfolios can be difficult and requires
sound business judgment as well as disciplined management otherwise projects that may be significant to the business may
be overlooked or missed in the detailed management processes. For example, projects that are significant to aligning with the
business strategy or small initiatives that are critical opportunities may be overlooked. Like all governance activities decisions
made at the top level regarding the portfolio investment approach must be communicated down to individual programmes and
projects and be monitored.
Portfolio Monitoring
Having created an investment portfolio approach, and approved individual investment programmes, there is a need to monitor
(post sign-off) all active programmes, just as one would a financial investment portfolio of for example, equities or properties.
Costs need to be monitored as well as cost reduction in business areas and revenue generating potential in the business.
The portfolio should also be monitored to ensure continuous alignment with strategic business drivers which may be changing
with time and with risk factors – both internal to projects and externally. Projects can be very hard to stop, although it is a good
practice to review projects on a regular basis and cancel those that are not likely to deliver value. It is recommended that a
project office be established working at the programme level, monitoring standards, targets and deliverables. It can be difficult
to find and keep the appropriate people in place for this kind of work. Experience has shown that it can be effective to use
bright, temporary people or contractors who will also be more likely to give objective assessments.

IT Governance Developing a Successful Governance Strategy
64 65
Acquisition programmes and procurement projects in the UK central civil government are subject to OGC Gateway Reviews.
The OGC Gateway Process examines a programme or project at critical stages in its lifecycle to provide assurance that
it can progress successfully to the next stage; the process is based on well-proven techniques that lead to more effective
delivery of benefits together with more predictable costs and outcomes. It is designed to be applied to delivery programmes
and procurement projects, including those that procure IT-enabled business change. The OGC Gateway Process provides
assurance and support for Senior Responsible Owners (SROs) in discharging their responsibilities to achieve their business
aims. For more guidance refer to www.ogc.gov.uk.
12.3 Benefits management
Monitoring whether or not benefits are being delivered is a key aspect of investment management. Without it, it will be
impossible to know whether a return on the investment has been realised. In practice though, it seems this is rarely done for
IT investments.
The objectives of benefits management should include:
I m p l e m e n t a t i o n o f a b e n e f i t m o n i t o r i n g p r o c e s s .
I d e n t i f i c a t i o n o f I T ’s e x p e c t e d c o n t r i b u t i o n t o b u s i n e s s r e s u l t s , e i t h e r a s a
c o m p o n e n t o f I T- e n a b l e d i n v e s t m e n t p r o g r a m m e s , o r a s p a r t o f r e g u l a r o p e r a t i o n a l
s u p p o r t a n d t h e n a g r e e d , m o n i t o r e d a n d r e p o r t e d o n .
R e p o r t i n g o p p o r t u n i t i e s t o i m p r o v e I T ’s c o n t r i b u t i o n , a p p r o p r i a t e a c t i o n s s h o u l d b e
d e f i n e d a n d t a k e n .
U p d a t i n g t h e p r o g r a m m e b u s i n e s s c a s e w h e r e c h a n g e s i n I T ’s c o n t r i b u t i o n i m p a c t
t h e p r o g r a m m e , o r w h e r e c h a n g e s t o o t h e r r e l a t e d p r o j e c t s i m p a c t t h e p r o g r a m m e
The IMPACT IT Governance SIG members believe that seldom does true benefit monitoring take place. Business sponsors
should manage benefits but usually they do not. This may be because of job movement in the business, or because the
business owner of change is often not the operational owner of the benefits. The main reason though is probably a lack of
willingness for the senior business sponsor to take ownership and accountability for monitoring benefits. Investment oversight
and the drive to apply discipline to the monitoring process should be directed by the IT Council or management team via a
standard process.
12.4 Measuring investment performance
Management should establish a general monitoring framework and approach that defines the scope, the methodology and the
process to be followed for monitoring IT’s contribution to the results of the enterprise’s portfolio management and programme
management processes. The framework should be integrated with the corporate performance management system. The
objective is to assess the overall performance of the portfolio of investments. Investment performance assessment should
review how the products of IT activities are performing – not just IT as such but the whole process. Many lessons can be
Managing the IT Investment12
Figure 12.4

IT Governance Developing a Successful Governance Strategy
66 67
learnt from analysing why projects are successful or not successful. Setting actual targets and metrics should be driven by the
stakeholders who should also approve and monitor them.
12.5 Improving value delivery and ROI
To optimise the business value realised from IT-enabled investments it is recommended that
8 :
I T- e n a b l e d i n v e s t m e n t s a r e m a n a g e d a s a p o r t f o l i o o f i n v e s t m e n t s .
I T- e n a b l e d i n v e s t m e n t s i n c l u d e t h e f u l l s c o p e o f a c t i v i t i e s t h a t a r e r e q u i r e d t o
a c h i e v e b u s i n e s s v a l u e .
I T- e n a b l e d i n v e s t m e n t s a r e m a n a g e d t h r o u g h t h e i r f u l l e c o n o m i c l i f e – c y c l e .
Va l u e d e l i v e r y p r a c t i c e s d e f i n e a n d m o n i t o r k e y m e t r i c s a n d r e s p o n d q u i c k l y t o a n y
c h a n g e s o r d e v i a t i o n s .
Va l u e d e l i v e r y p r a c t i c e s e n g a g e t h e b u s i n e s s a n d a s s i g n a p p r o p r i a t e a c c o u n t a b i l i t y
f o r t h e d e l i v e r y o f c a p a b i l i t i e s a n d t h e r e a l i s a t i o n o f b u s i n e s s b e n e f i t s .
Va l u e d e l i v e r y p r a c t i c e s a r e c o n t i n u a l l y m o n i t o r e d , e v a l u a t e d a n d i m p r o v e d .
A d i s c i p l i n e d a p p r o a c h i s e n f o r c e d t o p o r t f o l i o , p r o g r a m m e a n d p r o j e c t m a n a g e m e n t ,
i n s i s t i n g t h a t t h e b u s i n e s s t a k e s o w n e r s h i p o f a l l I T- e n a b l e d i n v e s t m e n t s a n d t h a t I T
e n s u r e s o p t i m i s a t i o n o f t h e c o s t s o f d e l i v e r i n g I T c a p a b i l i t i e s a n d s e r v i c e s .
Te c h n o l o g y i n v e s t m e n t s a r e s t a n d a r d i s e d t o t h e g r e a t e s t e x t e n t p o s s i b l e t o a v o i d
t h e i n c r e a s e d c o s t a n d c o m p l e x i t y o f a p r o l i f e r a t i o n o f t e c h n i c a l s o l u t i o n s .
12.6 Measuring and controlling IT operational costs
When managing IT investments, there is a tendency to concentrate on new projects rather than ongoing operations. The
operational budget is likely to be a much larger financial amount than new investments, and there are often opportunities
to optimise these ongoing costs. It is therefore recommended that a cost management process be implemented comparing
actual costs to budgets. Costs should be monitored and reported. Where there are deviations, these should be identified in
a timely manner and the impact of those deviations on programmes should be assessed and, together with the business
sponsor of those programmes, appropriate remedial action should be taken and, if necessary, the programme business case
should be updated. If the costs are recorded and analysed down to the lowest “service” level, then the business can decide
whether to use the service. Doing this may be costly – especially if carried to too low a level, so it is most effective to focus on
significant services and cost areas.
12.7 Project risk management
Project risk management is a very valuable process, providing an independent monitoring function. Its purpose is
to eliminate or minimise specific risks associated with individual projects through a systematic process of planning,
identifying, analysing, responding to, monitoring and controlling the areas or events that have the potential to cause
unwanted change. It can include a focus on costs and benefit realisation. In this context project risk management should
focus on the following:
R i s k a s s e s s m e n t s t h a t l o o k b e y o n d t h e i n t e r n a l s o f t h e p r o j e c t
I d e n t i f y i n g t h e f a c t o r s t o b e c o n s i d e r e d i n a d v a n c e i n a “ r i s k r e g i s t e r ”
Tr a c k i n g t h e s e i t e m s o n a c o n t i n u o u s b a s i s
U n d e r s t a n d i n g t h e p r o x i m i t y o f t h e r i s k – w h e n m i g h t i t h i t ?
E v a l u a t i n g t h e s e v e r i t y o f t h e r i s k t o d e t e r m i n e t h e f r e q u e n c y o f m o n i t o r i n g
n e e d e d
R i s k s c o n s i d e r e d t o b e h i g h s h o u l d b e c l o s e l y m o n i t o r e d – b y t h e s t e e r i n g c o m m i t t e e
i f a p p r o p r i a t e – a n d f e e d b a c k s h o u l d b e o b t a i n e d
P r o j e c t r i s k s t h a t r e l a t e t o e x e c u t i o n a n d d e l i v e r y ; e x a m p l e s o f e x t e r n a l b u s i n e s s –
r e l a t e d r i s k i n c l u d e :
– W i l l t h e c u s t o m e r w a n t i t ?
– N e e d f o r m a r k e t t e s t i n g
– P r o o f o f c o n c e p t n e e d e d ?
8. IT Governance Institute®, ValIT Framework.

IT Governance Developing a Successful Governance Strategy
66 67
13 SuccessFactors
Focus on the following success factors:
Tr e a t I T g o v e r n a n c e i n i t i a t i v e s a s a p r o j e c t n o t a ‘ o n e – o f f ’ s t e p . T h e g o a l i s t o m a k e
g o v e r n a n c e “ b u s i n e s s a s u s u a l ” .
O b t a i n t o p m a n a g e m e n t b u y – i n a n d o w n e r s h i p . T h i s n e e d s t o b e b a s e d o n t h e
p r i n c i p l e s o f b e s t m a n a g i n g t h e I T i n v e s t m e n t .
R e m e m b e r t h a t i m p l e m e n t a t i o n i n v o l v e s c u l t u r a l c h a n g e a s w e l l a s n e w p r o c e s s e s .
M a k e s u r e y o u e n a b l e a n d m o t i v a t e t h e s e c h a n g e s .
M a n a g e e x p e c t a t i o n s . I n m o s t e n t e r p r i s e s , a c h i e v i n g s u c c e s s f u l o v e r s i g h t o f I T
t a k e s s o m e t i m e a n d w i l l i n v o l v e c o n t i n u o u s i m p r o v e m e n t .
Success Factors13

▼NATIONAL COMPUTING CENTRE
IT Governance
Developing a successful governance strategy
A Best Practice guide for decision makers in IT
Throughout the past five years, we have witnessed unparalleled corporate scandals and
failures in global businesses. The result; heightened focus on corporate governance, stricter
regulations and new directors’ responsibilities, all adding to the pressure on IT Directors and
CIOs. They must now demonstrate to auditors that IT systems which support financial reporting,
as well as monitor and manage business performance are based on sound management
systems and controls.
Against this background, it has never been more important to ensure your organisation
governs the use of IT properly. With corporate governance on every boardroom agenda –
and increasing scrutiny of IT’s performance – IT governance has become a hot topic around
the world. For some many businesses, IT governance initiatives are already transforming the
way their organisations take responsibility for IT. For others, it is a challenge just knowing
where to start.
Recognising the challenges faced by CIOs in establishing effective IT governance, the NCCs
IMPACT Programme launched an IT Governance Special Interest Group (SIG). Its aim was
to identify not just the issues that need to be addressed, but also practical approaches for
organisations to follow. Over the past two years, heads of IT governance from Abbey, Aon,
Avis, Barclays, BOC, DfES, Eli Lilly, Learning & Skills Council, Legal & General, Marsh, NOMS,
Royal Mail, and TUI Group examined the key challenges. They shared successful approaches
and defined best practice.
This IT Governance Best Practice Guide is a comprehensive insight of the principles and
practices that the group put together. It is presented in a form that should help you to
understand better how to guide successful IT governance initiatives and make effective
management and control of IT resources “business as usual”.
This Guide forms part of the NCC ‘Best Practice’ Guides series and is intended to be of
practical use for decision makers in IT. This guidance is achieved through industry consensus,
managed by NCC, across the broadest range of professionals and experts.
National Computing Centre
Oxford House,
Oxford Road,
Manchester M1 7ED
Tel: 0161 242 2121
Fax: 0161 242 2499
The IMPACT Programme
International Press Centre,
76 Shoe Lane,
London EC4A 3JB
Tel: 0207 842 7900
Fax: 0207 842 7979

ISBN 0-85012-897-8
£35.00 NCC Members
£50.00 Non NCC Members

Expert paper writers are just a few clicks away

Place an order in 3 easy steps. Takes less than 5 mins.

Calculate the price of your order

You will get a personal manager and a discount.
We'll send you the first draft for approval by at
Total price:
$0.00

Order your essay today and save 20% with the discount code Newyr