Editor's Corner

Business Integrity, Ethics and Control ; these terms are the new maxim of corporate governance. One will come across these terms quite often even when you talk among friends and colleagues. I have always wondered why there is such a big interest about Governance, in particular IT Governance.

The rising interest in IT governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley (USA) and Basel II (Europe)), as well as the acknowledgement that IT projects can easily get out of control and profoundly affect the performance of an organization. Historically, IT has always been managed separately from the business and it is always confined to the “techie” department. After the widely publicize Enron, Arthur Anderson and Worldcom scandal, corporate governance has attracted more attention than ever before. IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management.

In this issue of the newsletter, we feature IT Governance and its relevance to ITSM/ITIL. Sushil Chatterji (member of the International IT Governance Committee of ISACA) and David Cannon (IT Governance Chair on the itSMF USA Board) have kindly contributed the feature articles on IT Governance and its relation to ITIL. How do you feel about IT Governance? Is the market going overboard with IT Governance or are we going to the right direction? Will IT Governance be the cure for corporate scandals and lead corporations to the path of business integrity and ethics? Let us know your opinion at newsletter@itsmf.org.sg

On another note, the much anticipated wait is finally over when ITIL 3.0 was released on 30 May, 2007. Unfortunately, we could not feature ITIL 3.0 in this issue. Wait for our next issue as we will feature all about the new ITIL 3.0 release (officially known as ITIL Refresh)

We hope you will enjoy this newsletter.

Thank You

Yours sincerely,
Ho Eu Jin, Cindy Ling & Chan Hwee Hiong

May 2007

Order the
ITIL version 3 books online now!

itSMF Singapore members enjoy a 15% discount!

*Terms and Conditions Apply

:: Membership

Not an itSMF Singapore Member? Join us and enjoy many benefits!

Special Feature on IT Governance

Governance - Taming the Wild West! - by David Cannon

The sun baked down onto the dusty main street. A stray piece of tumbleweed stirred in the hot eddy of a desert whirlwind. The small crowd of townspeople stood frozen in anticipation as two men faced off against each other. Even the flies seemed to stop in mid-flight as four hands hovered over poised six-shooters.

Mayor Clifford E. Owens broke the silence, his powerful voice rolling between the canyon walls of storefronts and saloons. “This town ain’t big enough for the both of us, Server Sid. Those unauthorized architecture changes and unscheduled upgrades that kept users offline and leaked confidential information to the public have happened for the last time!”

“It’s your funeral, Mayor” drawled Server Sid, spitting into the dirt. “Either I shoot you right here, or you’ll die without my technical expertise!”

The sound of galloping hooves broke through the barrier of heat and tension. The crowd ran, cheering, to meet the approaching horsemen. “I don’t believe it”, muttered Mayor Owens, a relieved smile breaking through his strained features, “it’s the Management Brothers – Sheriff Governance and his deputy, Service Management!”

---oooOooo---

Although IT has been around for decades, it still offers many new opportunities and possibilities for businesses. Like the pioneers in the American west, however, anyone wanting to exploit IT’s new opportunities will have to deal with its challenges.

The good news is that the early lawlessness of new technology is being dealt with by some serious law makers and enforcers. Early adoption of IT Service Management (ITSM) has shown that if IT is aligned to the business and managed as a set of services, it is easier to manage and contributes more meaningfully to the business. However, these processes are no longer enough.

While ITSM is good, it is voluntary. Nobody requires IT departments to do it, and nobody really has any power to change it if they don’t. The result is that many IT departments still continue to focus on managing technology without any understanding of their impact on the business. As such, they are a burden on the business resources, instead of a strategic contributor.

Business today is looking for ways of reducing spend caused by trying to control IT, and is looking for ways of harnessing it to meet and expand their strategies. So what is governance and how will it help?

There are as many definitions of governance as there are practitioners. At its simplest level, governance is ‘the action or manner of governing’ (Oxford English Dictionary). This is somewhat vague, but more complex definitions seem to make it more difficult. The author of this article needed to come up with something more practical for an itSMF project. After much research he came up with the following definition of Governance:

“The rules whereby decisions are made, authority is allocated, information is reported and money is spent – and the ability to execute and enforce those rules”

The implications of this definition are as follows:

Governance is not about technology, it is about management and the business

Often people will speak about IT Governance as if it has nothing to do with the business. In fact, governance is a business issue, and it is organization-wide. Legislation such as Sarbanes-Oxley was not aimed at IT, but at the business as a whole, while IT plays a key role in helping the organization achieve good governance. As with most things, in governance the business should take the lead.

Governance is our responsibility whether legislation requires it or not

Imagine trying to run a business without rules about who can spend money, or what criteria must be used to make decisions. Any successful organization fully understands the need to govern itself.

Successful IT organizations are the same. The only problem has been that technology is so new that the rules aren't always clear. Over the past several years, a number of approaches have been initiated to help define the rules and to make them clear. These include:

• Standards (such as ISO/IEC20000) which help IT organizations understand what management processes and tools they need to have to be successful
• Control Objectives (such as COBIT) which help IT organizations understand how to measure, report and control IT processes
• Best Practices (such as ITIL) which help IT organizations to implement the processes and controls identified in the previous two points
• Legislation (such as Sarbanes-Oxley) mandates what level of governance needs to be in place for publicly traded companies
• Regulation (such as Basel II or HIPAA) specifies governance requirements for organizations in a specific industry (e.g. Financial or Health Care)

Legislation helps to back up good intention

Most successful organizations are well governed and strive to become even better. The leadership of those organizations understands how important it is to make the right decisions and to have the right information. However, recent history has shown how a small number of “outlaws” can take a good organization and turn it bad, by abusing good intentions and introducing bad governance. This was hidden by convoluted reporting and misrepresentation of facts – perpetrated by the very people who were responsible for building good governance.

Legislation such as Sarbanes-Oxley and audit frameworks like COBIT, make it necessary and possible for the rules to be public and compliance measured. Governance is the sheriff that makes it possible for the business community to outlaw the “bad guys” so that the business and IT can continue to evolve and grow.

Governance is necessary for the growth of IT

Uncontrolled growth and the reactive development of rules result in constraints that eventually result in an inbred IT department that does not understand its broader business context. IT needs to be in touch with the business, as well as the broader IT environment. Governance provides a mechanism whereby this communication can take place as everyone understands the roles, responsibilities and scope of the IT department.

Governance also protects IT against unreasonable or irresponsible requests from the business. It enables IT to weigh up every opportunity together with the business and evaluate whether that opportunity would be appropriate and feasible.

Governance is therefore one of the steps required for IT to become a strategic component of the business, rather than just a set of support tools.

Governance is the basis for standardization and integration

Any business that wants to grow, needs to think about two key issues:

1. How will we standardize processes, functions and tools so that we can perform tasks consistently, using a common set of resources to keep our costs down and performance high? Governance helps to achieve this by identifying constraints imposed by the rules and working on ways to overcome these. Governance will also help to identify and assign accountability to the right person for making standardization happen
2. How do we integrate the data from different parts of the organization so that we can use it to support business optimization and growth? Governance will assist by identifying what information is necessary, while ensuring that privacy is protected and conflict of interest is avoided

Service Management is not Governance, but it can really help

Service Management is about implementing processes that ensure the delivery and support of IT services to the business. Some of these processes specify roles and many of them involve making decisions and spending money. In this sense, Service Management can help to clarify governance by helping to identify and quantify the rules that will form part of the governance framework.

Steps to Achieving Law and Order

Implementing governance (and taming the Wild West) will involve the following steps:

1. Agree the vision and objectives. What are you trying to do? Projects aimed at optimizing IT or to improve IT services, governance will tend to be voluntary and will grow organically with the project. Organizations trying to gain compliance so that they can do business in a specific industry sector will tend to use an external framework or legislation or standard and base their project around that
2. Define the Governance Framework. This could be based on a formal framework, such as COBIT or HIPAA, or it could be developed specifically for the organization with input from these various sources
3. Agree authority structures and information requirements. This will define who is ultimately responsible for key areas of IT and the business, what decisions they are responsible for and what information they need to make those decisions
4. Define responsibilities and decision-making processes. As each process is defined, responsibility will be delegated to individuals. These responsibilities need to be defined together with instructions on what decisions they are authorized to make and what process to follow in making these decisions. Each output must be clearly defined and mapped to its owner and the eventual business outcome
5. Agree Management metrics. This will ensure that the appropriate manager gets the information they need to ensure that each process or output is performing the way it is supposed to be. This will also define what action will be taken if the metric does not meet specifications
6. Agree communication objectives and mechanisms to ensure that every manager has the information they need to do their job and detect any problems
7. Ensure ongoing evaluation and adaptation. Each manager is responsible for identifying areas for improvement. Good governance requires that managers identify areas of weakness or potential wrongdoing and deal with them, rather than trying to hide them.

---oooOooo---

The gun slid from Server Sid’s shaking hand as the Sheriff and his deputy approached. “What’s going to happen to me?” he asked, dread filling his very being.

“Well…..” the sheriff thought for a moment. “We could string you and the rest of your gang up, but that would leave the Mayor in a real fix. Tell you what we’ll do…..” The Sheriff, Deputy and Mayor drew to one side and spoke animatedly for some time.

---oooOooo---

Six months later……

Server Sid and the rest of the Techie Gang had been given a choice – jail or help Mayor Owens build the town into a strong community. All of them pitched in and with the saloon management, tax collection and gold evaluation systems functioning effectively, the town became prosperous beyond all expectations.

Better than anything, the Techie Gang were instrumental in figuring out how that notorious varmint, Cardsharp Cody, was cheating the citizens and had him refund all the money he had stolen.

Mayor Owens sidled up to Server Sid, Networking Ned and Application Andy in the saloon. “Howdy partners, I’ve got a great idea to put this town on the map – do you want to be part of it, or do you just want to manage your machines?.......”

About the author: David Cannon is the ITSM Practice Principal for HP Education and Governance Chair on the itSMF USA Board.

The ITIL V3 Glossary is now free to download via a free click use licence at http://www.best-management-practice.com/ITILGlossary

Through TSO’s partnership with itSMF International, the Official translated Glossaries will be available for free download on http://www.best-management-practice.com and itSMF chapters’ websites within six months.

These will be available in the following languages:

• Brazilian Portuguese
• French
• German
• Japanese
• Spanish (Castilian and Latin American).

The Glossary will be available within 12 months of the English language version in the following languages:

• Arabic
• Chinese
• Dutch
• Hindi or Urdu.

If you have not done so already register for the TSO elert service at http://www.best-management-practice.com/ITILRefreshRegister to ensure you are amongst the first to obtain access to these translated Glossaries.

Visit the itSMF Singapore Bookstore

After two years of planning, scoping, development and review, the five lifecycle titles are published today by TSO with the release of the electronic formats following shortly.

The "Official Introduction of the ITIL Service Lifecycle" book is provisionally scheduled to be published at the end of June.

itSMF Singapore now carries ITIL ver 3.0

1. ITIL Lifecycle Publication Suite
Collection of all 5 ITIL Books, Service Strategy, Service Design, Service Transition, Service Operation, Continual Service Improvement

Members Price: S$927.00
Non Member Price: S$787.95

2a. ITIL V3 Service Stategy (Harcopy)
A view of ITIL that aligns business and IT so that each brings out the best in the other. It ensures that every stage of the service lifecycle stays focused on the business case and relates to all the companion process elements that follow. Subsequent titles will link deliverables to meeting the business goals, requirements and service management principles described in this publication.
Concepts and guidance in this publication include:
· Value planning
· Linking business plans and directions to IT service strategy
· Planning and implementing service strategy

Members Price: S$223.55
Non Member Price: S$263.00

2b. ITIL V3 Service Stategy (E-book Version for 1 User)
Note: Ebook is a single user, non-networkable basic downloadable PDF of the ITIL Book

Members Price: S$223.55
Non Member Price: S$263.00

3a. ITIL V3 Service Design (Hardcopy)
In order to meet the current and future business requirements, Service Design provides guidance on the production and maintenance of IT policies, architectures, and documents for the design of appropriate and innovative IT services solutions and processes.
Concepts and guidance in this publication include:
· Service design objectives and elements
· Selecting the service design model
· Cost model
· Benefit/risk analysis
· Implementing service design
· Measurement and control.

Members Price: S$223.55
Non Member Price: S$263.00

3b. ITIL V3 Service Design (E-Book Version for 1 User)
Note: Ebook is a single user, non-networkable basic downloadable PDF of the ITIL Book

Members Price: S$223.55
Non Member Price: S$263.00

4a. ITIL V3 Service Transition
Service Transition focuses on the broader, long-term change management role and release practices, so that risks, benefits, delivery mechanism and the ease of ongoing operations of service are considered. This publication provides guidance and process activities for the transition of services into the business environment.
Concepts and guidance in this publication include:
· Managing organisational and cultural change
· Knowledge management
· Service knowledge management system
· Methods, practices and tools
· Measurement and control
· Companion best practices.

Members Price: S$223.55
Non Member Price: S$263.00

4b. ITIL V3 Service Transition (E-Book Version for 1 User)
Note: Ebook is a single user, non-networkable basic downloadable PDF of the ITIL Book

Members Price: S$223.55
Non Member Price: S$263.00

5a. ITIL V3 Service Operation
By focusing on delivery and control process activities, a highly desirable, steady state of managing services can be achieved on a day-to-day basis. To ensure it is integrated with the rest of the ITIL library, guidance is based on a selection of familiar service support and service delivery control points.
· Concepts and guidance in this publication include:
· Application Management
· Change Management
· Operations Management
· Control processes and functions
· Scaleable practices
· Measurement and control.

Members Price: S$223.55
Non Member Price: S$263.00

5b. ITIL V3 Service Operation (E-Book Version for 1 User)
Note: Ebook is a single user, non-networkable basic downloadable PDF of the ITIL Book

Members Price: S$223.55
Non Member Price: S$263.00

6a. ITIL V3 Continual Service Improvement
Alongside the delivery of consistent, repeatable process activities as part of service quality, ITIL has always emphasised the importance of continual improvements. Focusing on the process elements involved in identifying and introducing service management improvements, this publication also deals with issues surrounding service retirement.
· Concepts and guidance in this publication include:
· Business and technology drivers for improvement
· Justification
· Business, financial and organisational improvements
· Methods, practices and tools
· Measurement and control
· Companion best practices.

Members Price: S$223.55
Non Member Price: S$263.00

6b. ITIL V3 Continual Service Improvement (E-Books Version for 1 User)
Note: Ebook is a single user, non-networkable basic downloadable PDF of the ITIL Book

Members Price: S$223.55
Non Member Price: S$263.00

Start ordering these books from our itSMF Bookstore today !!!

The 7 ITIL V3 Global Roadshows are promoting the launch of ITIL V3 throughout the world. Working with our partners, OGC, TSO and AMP Group these roadshows are the only way to find out truly what is in the publications. You also have a chance to come and meet the authors.

The ITIL V3 Global Roadshows start in London (UK) on June 5th 2007, and then move on to Copenhagen (7th June - Denmark), San Jose (12th June) & Chicago (15th June) (USA), Seoul (18th June - Korea), Sydney 20th June - Australia) and finish in Sao Paulo (Brazil) on 22nd June 2007.

The London event is in a couple of weeks and is completely sold out. There are still some places available at the other global events, please click on the relevant city/country to find out more information.

The first of the USA events starts in San Jose on 12th June followed closely by Chicago on 15th June – 2 dates that really should not be missed.

Places are limited at these events so if you want to hear more about ITIL V3 straight from the authors then book your place now! (links below)

ITIL V3 GLOBAL ROADSHOWS:

5th June 2007 - London, UK (SOLD OUT)
7th June 2007 - Copenhagen, Denmark
12th June 2007 - San Jose, USA
15th June 2007 - Chicago, USA
18th June 2007 - Seoul, South Korea
20th June 2007 - Sydney, Australia
22nd June 2007 - Sao Paulo, Brazil

Global sponsors: Accenture, BMC, Computer Associates, HP, IBM

IT Governance benefits the organisation

One can hardly browse through a technology publication these days without reading at least one article on “ROI from IT” or “business and IT alignment”. Clearly, it has been figured out that successful IT management is more about the business and less about the technology. The slew of corporate scandals involving huge write-offs from IT-enabled investments only serve to underscore the business impact of IT. At a time when C-level management face criminal charges for corporate governance violations, the need to better oversee IT investments at all levels has never been greater. However, despite the fact that IT-enabled investments amount to more than 50 percent of the annual capital spend on average, only 6 percent of US publicly traded companies operate IT oversight committees.

It comes as no surprise that such weak governance has led to recent cases such as Disney writing-off $878 million due to poor investment decisions by its Internet division. Similarly, Kmart wrote off $130 million for its supply chain hardware and software investments. Gateway also disposed of $143 million worth IT investments that no longer met with the company's strategy.

Yet for some in IT management, the notion that IT has to be governed is just a passing one…. If you ask them if their departments are aligned with the business you will get a hearty "Oh, sure!" However, if you ask them to describe their IT governance processes, you will often get silence – because they have no such process.

What is IT Governance and why do we need it?

IT Governance is not very different from governance in other areas of the organisation. Enterprise Governance is defined as "the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the organisation’s resources are used responsibly." In the case of IT, governance is the set of leadership, processes and structures to ensure the enterprise’s IT enables and supports the enterprise’s strategies and objectives by defining the following:

1. What key decisions need to be made;
2. Who is responsible for making them;
3. How they are made; and
4. The processes and supporting structures for making them, including monitoring adherence to the process and effectiveness of the decisions

Figure 1: IT Governance Focus Areas (IT Governance Institute)

It seems simple enough, but why would IT managers want such formality? After all, there are many CIOs, IT managers and directors who can tell departments exactly what they need--and they better like it! After all, they are the technology experts.

So, what are the benefits of having IT Governance? A good outcome is "buy-in". If you want to become true partners with your customers (or even if you don't and just want them to go along quietly with your advice), you need to make them part of the process. Much of our success as IT is dependent on our customers buying into the solutions that we offer them to meet their needs. No buy-in often leads to failure.

Besides buy-in, IT Governance can:

• Aid in aligning IT with the organizational goals and strategy.
• Raise the profile of IT.
• Aid in compliance.
• Help convert strategic goals into IT projects.
• Aid in project and portfolio management.
• Reduce IT risk.
• Aid in IT strategic planning.
• Aid in performance measurement.
• Aid in embedding IT into the organization's culture.
• Aid in demand management (demand for IT's services by other departments)
• Optimise IT operations.
• Increase project visibility.

The approach to adopting IT Governance

How does one get started in improving IT Governance? Is there help and guidance available to aid in the better adoption and implementation of IT Governance? The answer to both questions is definitely “yes”. The Control Objectives for Information and related Technology (COBIT) framework and its associated family of products from the IT Governance Institute is commonly used as an over-arching process assessment and integrating guide, in conjunction with complementary best-practice frameworks for specific areas of IT such as Enterprise Architecture, Project Management, Software development, Service Management, Portfolio and Value Management, Security Management, Risk Management etc. The underlying basis for this is the comprehensive and detailed coverage of the IT lifecycle from the internal controls perspective in COBIT.

Designed to support businesses in achieving improved outcomes, alignment and value, the COBIT framework, now in its 4th version, and its related products have been mapped out to provide a set of best practices and procedures in IT Governance. Organisations should make full use of them by evaluating their merits and incorporate them where possible. It would also be crucial for the senior management to be actively involved in this process to ensure success. The best part is that most of the COBIT family of products, including the framework itself, is a free download in pdf format, for personal use – just visit www.isaca.org or www.itgi.org.

By making a firm commitment to adopting IT Governance, organisations will not only begin to realise the benefits listed earlier, but also earn the acknowledgement of the auditors – especially IT auditors. The simple reason for this is that the IT auditors use the very same COBIT framework when planning and conducting their IT audit. This has been the case since the origins of COBIT over 12 years ago, but it has since evolved to be the de facto IT Governance framework in use by management, users, and auditors today.

Figure 2: 34 IT lifecycle process in the COBIT Framework (IT Governance Institute)

The essential use of, and links between CobiT and ITIL

CobiT has been developed from established frameworks, such as the Software Engineering Institute's Capability Maturity Model, ISO 9000 and, most importantly in this context, the Information Technology Infrastructure Library (ITIL). Unlike ITIL, CobiT does not include process steps and tasks because it is more a control framework rather than a process execution framework. CobiT focuses on what an enterprise needs to do, not how it needs to do it, and the target audience is auditors, senior business and IT management.

ITIL is based on defining best-practice processes for IT service management, rather than defining a broad-based control framework. It focuses on the method. ITIL has a much narrower scope than CobiT because of its focus on IT service management, but it defines a more comprehensive set of processes within that narrower field of service delivery and support. ITIL is more prescriptive about the tasks involved in those processes and, as such, its primary target audience is IT and service management.

The principles behind the CobiT and ITIL frameworks are consistent. Auditors often use CobiT in combination with the ITIL self-assessments to assess the service management environment. CobiT provides a set of key goal and performance indicators, maturity models and control objectives for each of its processes. These add value to ITIL because they establish the basis for managing the ITIL processes. Some enterprises have combined the two to provide a more-comprehensive IT Governance and operations framework.

Many of the CobiT processes — particularly those in the delivery and support domain, such as DS1, DS3, DS4, DS8, DS9 and DS10 — map well onto one or more ITIL processes, such as service level, configuration, problem, incident, release, capacity, and availability management. Similarly, the AI6 change management process maps well onto ITIL's change management process and other supporting processes, such as release management.

Recognising this convergence, the IT Governance Institute, the OGC and the itSMF jointly produced a management briefing document in November 2005 entitled: Aligning CobiT, ITIL and ISO 17799 for Business Benefit. This document is available as a download from www.isaca.org.

References:

• IT Governance Institute (various publications) www.itgi.org, www.isaca.org
• Holistic approach to corporate, IT governance, by Michael Lam, Compuware, Enterprise Innovation, April 2007
• How IT governance benefits the organization, by Ramon Padilla Jr., TechRepublic, July 2005
• Combine CobiT and ITIL for Powerful IT Governance, S. Mingay/S.Bittinger, Gartner Research Note, June 2002

About the Author: Sushil Chatterji is actively involved with the CobiT and Val IT frameworks with the IT Governance Institute (ITGI). He also sits on the IT Governance Committee of ISACA.