Business Integrity, Ethics and Control ; these terms are the new maxim of corporate governance. One will come across these terms quite often even when you talk among friends and colleagues. I have always wondered why there is such a big interest about Governance, in particular IT Governance.
The rising interest in IT governance is partly due to compliance initiatives
(e.g. Sarbanes-Oxley (USA) and Basel II (Europe)), as well as the
acknowledgement that IT projects can easily get out of control and
profoundly affect the performance of an organization. Historically,
IT has always been managed separately from the business and it is
always confined to the “techie” department. After the
widely publicize Enron, Arthur Anderson and Worldcom scandal, corporate
governance has attracted more attention than ever before. IT Governance
is a subset discipline of Corporate Governance focused on information
technology (IT) systems and their performance and risk management.
In this issue of the newsletter, we feature IT Governance and its
relevance to ITSM/ITIL. Sushil Chatterji (member of the International
IT Governance Committee of ISACA) and David Cannon (IT Governance
Chair on the itSMF USA Board) have kindly contributed the feature
articles on IT Governance and its relation to ITIL. How do you feel
about IT Governance? Is the market going overboard with IT Governance
or are we going to the right direction? Will IT Governance be the
cure for corporate scandals and lead corporations to the path of business
integrity and ethics? Let us know your opinion at firstname.lastname@example.org
On another note, the much anticipated wait is finally over when ITIL
3.0 was released on 30 May, 2007. Unfortunately, we could not feature
ITIL 3.0 in this issue. Wait for our next issue as we will feature
all about the new ITIL 3.0 release (officially known as ITIL Refresh)
We hope you will enjoy this newsletter.
Special Feature on IT Governance
The sun baked down onto the dusty main street. A stray piece of tumbleweed stirred in the hot eddy of a desert whirlwind. The small crowd of townspeople stood frozen in anticipation as two men faced off against each other. Even the flies seemed to stop in mid-flight as four hands hovered over poised six-shooters.
Mayor Clifford E. Owens broke the silence, his powerful voice rolling between the canyon walls of storefronts and saloons. “This town ain’t big enough for the both of us, Server Sid. Those unauthorized architecture changes and unscheduled upgrades that kept users offline and leaked confidential information to the public have happened for the last time!”
“It’s your funeral, Mayor” drawled Server Sid, spitting into the dirt. “Either I shoot you right here, or you’ll die without my technical expertise!”
The sound of galloping hooves broke through the barrier of heat and tension. The crowd ran, cheering, to meet the approaching horsemen. “I don’t believe it”, muttered Mayor Owens, a relieved smile breaking through his strained features, “it’s the Management Brothers – Sheriff Governance and his deputy, Service Management!”
Although IT has been around for decades, it still offers many new opportunities and possibilities for businesses. Like the pioneers in the American west, however, anyone wanting to exploit IT’s new opportunities will have to deal with its challenges.
The good news is that the early lawlessness of new technology is being dealt with by some serious law makers and enforcers. Early adoption of IT Service Management (ITSM) has shown that if IT is aligned to the business and managed as a set of services, it is easier to manage and contributes more meaningfully to the business. However, these processes are no longer enough.
While ITSM is good, it is voluntary. Nobody requires IT departments to do it, and nobody really has any power to change it if they don’t. The result is that many IT departments still continue to focus on managing technology without any understanding of their impact on the business. As such, they are a burden on the business resources, instead of a strategic contributor.
Business today is looking for ways of reducing spend caused by trying to control IT, and is looking for ways of harnessing it to meet and expand their strategies. So what is governance and how will it help?
There are as many definitions of governance as there are practitioners. At its simplest level, governance is ‘the action or manner of governing’ (Oxford English Dictionary). This is somewhat vague, but more complex definitions seem to make it more difficult. The author of this article needed to come up with something more practical for an itSMF project. After much research he came up with the following definition of Governance:
“The rules whereby decisions are made, authority is allocated, information is reported and money is spent – and the ability to execute and enforce those rules”
The implications of this definition are as follows:
Governance is not about technology, it is about management and the business
Often people will speak about IT Governance as if it has nothing to do with the business. In fact, governance is a business issue, and it is organization-wide. Legislation such as Sarbanes-Oxley was not aimed at IT, but at the business as a whole, while IT plays a key role in helping the organization achieve good governance. As with most things, in governance the business should take the lead.
Governance is our responsibility whether legislation requires it or not
Imagine trying to run a business without rules about who can spend money, or what criteria must be used to make decisions. Any successful organization fully understands the need to govern itself.
Successful IT organizations are the same. The only problem has been that technology is so new that the rules aren't always clear. Over the past several years, a number of approaches have been initiated to help define the rules and to make them clear. These include:
Legislation helps to back up good intention
Most successful organizations are well governed and strive to become even better. The leadership of those organizations understands how important it is to make the right decisions and to have the right information. However, recent history has shown how a small number of “outlaws” can take a good organization and turn it bad, by abusing good intentions and introducing bad governance. This was hidden by convoluted reporting and misrepresentation of facts – perpetrated by the very people who were responsible for building good governance.
Legislation such as Sarbanes-Oxley and audit frameworks like COBIT, make it necessary and possible for the rules to be public and compliance measured. Governance is the sheriff that makes it possible for the business community to outlaw the “bad guys” so that the business and IT can continue to evolve and grow.
Governance is necessary for the growth of IT
Uncontrolled growth and the reactive development of rules result in constraints that eventually result in an inbred IT department that does not understand its broader business context. IT needs to be in touch with the business, as well as the broader IT environment. Governance provides a mechanism whereby this communication can take place as everyone understands the roles, responsibilities and scope of the IT department.
Governance also protects IT against unreasonable or irresponsible requests from the business. It enables IT to weigh up every opportunity together with the business and evaluate whether that opportunity would be appropriate and feasible.
Governance is therefore one of the steps required for IT to become a strategic component of the business, rather than just a set of support tools.
Governance is the basis for standardization and integration
Any business that wants to grow, needs to think about two key issues:
Service Management is not Governance, but it can really help
Service Management is about implementing processes that ensure the delivery and support of IT services to the business. Some of these processes specify roles and many of them involve making decisions and spending money. In this sense, Service Management can help to clarify governance by helping to identify and quantify the rules that will form part of the governance framework.
Steps to Achieving Law and Order
Implementing governance (and taming the Wild West) will involve the following steps:
“Well…..” the sheriff thought for a moment. “We could string you and the rest of your gang up, but that would leave the Mayor in a real fix. Tell you what we’ll do…..” The Sheriff, Deputy and Mayor drew to one side and spoke animatedly for some time.
Six months later……
Server Sid and the rest of the Techie Gang had been given a choice – jail or help Mayor Owens build the town into a strong community. All of them pitched in and with the saloon management, tax collection and gold evaluation systems functioning effectively, the town became prosperous beyond all expectations.
Better than anything, the Techie Gang were instrumental in figuring out how that notorious varmint, Cardsharp Cody, was cheating the citizens and had him refund all the money he had stolen.
Mayor Owens sidled up to Server Sid, Networking Ned and Application Andy in the saloon. “Howdy partners, I’ve got a great idea to put this town on the map – do you want to be part of it, or do you just want to manage your machines?.......”
About the author: David Cannon is the ITSM Practice Principal for HP Education and Governance Chair on the itSMF USA Board.
|ITIL Refresh News|
ITIL Version 3 Launched!
The ITIL V3 Glossary is now free to download via a free click use licence at http://www.best-management-practice.com/ITILGlossary
Through TSO’s partnership with itSMF International, the Official translated Glossaries will be available for free download on http://www.best-management-practice.com and itSMF chapters’ websites within six months.
These will be available in the following languages:
The Glossary will be available within 12 months of the English language version in the following languages:
If you have not done so already register for the TSO elert service at http://www.best-management-practice.com/ITILRefreshRegister to ensure you are amongst the first to obtain access to these translated Glossaries.
ITIL V3 Lifecycle books Published... order them today!
(itSMF Singapore members enjoy a 15% discount)
After two years of planning, scoping, development and review, the five lifecycle titles are published today by TSO with the release of the electronic formats following shortly.
The "Official Introduction of the ITIL Service Lifecycle" book is provisionally scheduled to be published at the end of June.
itSMF Singapore now carries ITIL ver 3.0
1. ITIL Lifecycle Publication Suite
2a. ITIL V3 Service Stategy (Harcopy)
2b. ITIL V3 Service Stategy (E-book Version for 1 User)
3a. ITIL V3 Service Design (Hardcopy)
3b. ITIL V3 Service Design (E-Book Version for 1 User)
4a. ITIL V3 Service Transition
4b. ITIL V3 Service Transition (E-Book Version for 1 User)
5a. ITIL V3 Service Operation
5b. ITIL V3 Service Operation (E-Book Version for 1 User)
6a. ITIL V3 Continual Service Improvement
6b. ITIL V3 Continual Service Improvement (E-Books Version for 1
Start ordering these books from our itSMF Bookstore today !!!
|ITIL V3 Global Roadshows - UPDATE|
The 7 ITIL V3 Global Roadshows are promoting the launch of ITIL V3 throughout the world. Working with our partners, OGC, TSO and AMP Group these roadshows are the only way to find out truly what is in the publications. You also have a chance to come and meet the authors.
The ITIL V3 Global Roadshows start in London (UK) on June 5th 2007, and then move on to Copenhagen (7th June - Denmark), San Jose (12th June) & Chicago (15th June) (USA), Seoul (18th June - Korea), Sydney 20th June - Australia) and finish in Sao Paulo (Brazil) on 22nd June 2007.
The London event is in a couple of weeks and is completely sold out. There are still some places available at the other global events, please click on the relevant city/country to find out more information.
The first of the USA events starts in San Jose on 12th June followed closely by Chicago on 15th June – 2 dates that really should not be missed.
Places are limited at these events so if you want to hear more about ITIL V3 straight from the authors then book your place now! (links below)
ITIL V3 GLOBAL ROADSHOWS:
5th June 2007 - London, UK (SOLD OUT)
Global sponsors: Accenture, BMC, Computer Associates, HP, IBM
Governance Benefits the Organisation
- by Sushil Chatterji
IT Governance benefits the organisation
One can hardly browse through a technology publication these days without reading at least one article on “ROI from IT” or “business and IT alignment”. Clearly, it has been figured out that successful IT management is more about the business and less about the technology. The slew of corporate scandals involving huge write-offs from IT-enabled investments only serve to underscore the business impact of IT. At a time when C-level management face criminal charges for corporate governance violations, the need to better oversee IT investments at all levels has never been greater. However, despite the fact that IT-enabled investments amount to more than 50 percent of the annual capital spend on average, only 6 percent of US publicly traded companies operate IT oversight committees.
It comes as no surprise that such weak governance has led to recent cases such as Disney writing-off $878 million due to poor investment decisions by its Internet division. Similarly, Kmart wrote off $130 million for its supply chain hardware and software investments. Gateway also disposed of $143 million worth IT investments that no longer met with the company's strategy.
Yet for some in IT management, the notion that IT has to be governed is just a passing one…. If you ask them if their departments are aligned with the business you will get a hearty "Oh, sure!" However, if you ask them to describe their IT governance processes, you will often get silence – because they have no such process.
What is IT Governance and why do we need it?
IT Governance is not very different from governance in other areas of the organisation. Enterprise Governance is defined as "the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the organisation’s resources are used responsibly." In the case of IT, governance is the set of leadership, processes and structures to ensure the enterprise’s IT enables and supports the enterprise’s strategies and objectives by defining the following:
It seems simple enough, but why would IT managers want such formality? After all, there are many CIOs, IT managers and directors who can tell departments exactly what they need--and they better like it! After all, they are the technology experts.
So, what are the benefits of having IT Governance? A good outcome is "buy-in". If you want to become true partners with your customers (or even if you don't and just want them to go along quietly with your advice), you need to make them part of the process. Much of our success as IT is dependent on our customers buying into the solutions that we offer them to meet their needs. No buy-in often leads to failure.
Besides buy-in, IT Governance can:
The approach to adopting IT Governance
How does one get started in improving IT Governance? Is there help and guidance available to aid in the better adoption and implementation of IT Governance? The answer to both questions is definitely “yes”. The Control Objectives for Information and related Technology (COBIT) framework and its associated family of products from the IT Governance Institute is commonly used as an over-arching process assessment and integrating guide, in conjunction with complementary best-practice frameworks for specific areas of IT such as Enterprise Architecture, Project Management, Software development, Service Management, Portfolio and Value Management, Security Management, Risk Management etc. The underlying basis for this is the comprehensive and detailed coverage of the IT lifecycle from the internal controls perspective in COBIT.
Designed to support businesses in achieving improved outcomes, alignment and value, the COBIT framework, now in its 4th version, and its related products have been mapped out to provide a set of best practices and procedures in IT Governance. Organisations should make full use of them by evaluating their merits and incorporate them where possible. It would also be crucial for the senior management to be actively involved in this process to ensure success. The best part is that most of the COBIT family of products, including the framework itself, is a free download in pdf format, for personal use – just visit www.isaca.org or www.itgi.org.
By making a firm commitment to adopting IT Governance, organisations will not only begin to realise the benefits listed earlier, but also earn the acknowledgement of the auditors – especially IT auditors. The simple reason for this is that the IT auditors use the very same COBIT framework when planning and conducting their IT audit. This has been the case since the origins of COBIT over 12 years ago, but it has since evolved to be the de facto IT Governance framework in use by management, users, and auditors today.
The essential use of, and links between CobiT and ITIL
CobiT has been developed from established frameworks, such as the Software Engineering Institute's Capability Maturity Model, ISO 9000 and, most importantly in this context, the Information Technology Infrastructure Library (ITIL). Unlike ITIL, CobiT does not include process steps and tasks because it is more a control framework rather than a process execution framework. CobiT focuses on what an enterprise needs to do, not how it needs to do it, and the target audience is auditors, senior business and IT management.
ITIL is based on defining best-practice processes for IT service management, rather than defining a broad-based control framework. It focuses on the method. ITIL has a much narrower scope than CobiT because of its focus on IT service management, but it defines a more comprehensive set of processes within that narrower field of service delivery and support. ITIL is more prescriptive about the tasks involved in those processes and, as such, its primary target audience is IT and service management.
The principles behind the CobiT and ITIL frameworks are consistent. Auditors often use CobiT in combination with the ITIL self-assessments to assess the service management environment. CobiT provides a set of key goal and performance indicators, maturity models and control objectives for each of its processes. These add value to ITIL because they establish the basis for managing the ITIL processes. Some enterprises have combined the two to provide a more-comprehensive IT Governance and operations framework.
Many of the CobiT processes — particularly those in the delivery and support domain, such as DS1, DS3, DS4, DS8, DS9 and DS10 — map well onto one or more ITIL processes, such as service level, configuration, problem, incident, release, capacity, and availability management. Similarly, the AI6 change management process maps well onto ITIL's change management process and other supporting processes, such as release management.
Recognising this convergence, the IT Governance Institute, the OGC and the itSMF jointly produced a management briefing document in November 2005 entitled: Aligning CobiT, ITIL and ISO 17799 for Business Benefit. This document is available as a download from www.isaca.org.
About the Author: Sushil Chatterji is actively involved with the CobiT and Val IT frameworks with the IT Governance Institute (ITGI). He also sits on the IT Governance Committee of ISACA.