IT Governance

and Strategy
AUDCIS Module 3
Describe IT governance and explain the significance of aligning IT with business objectives.

Describe relevant IT governance frameworks.

Explain the importance of implementing IT performance metrics within the organization,

particularly, the IT Balanced Scorecard. Describe the steps in building an IT Balanced Scorecard
and illustrate supporting example.
Discuss the importance of regulatory compliance and internal controls in organizations.

Learning
Objectives
Define IT strategy and discuss the IT strategic plan, and its significance in aligning business
objectives with IT.

Explain what an IT Steering Committee is and describe its tasks in an organization.

Discuss the importance of effective communication of the IT strategy to members of the

organization.

Describe the operational governance processes and how they control delivery of IT projects,
while aligning with business objectives.
provides the
structure to achieve
alignment of the IT
activities and
processes with
business objectives

incorporate IT into
adequate
the enterprise risk
implementation of
management
internal controls
program

IT Governance – IT
Alignment of IT with Governance
Business Objectives
make certain of
manage the
regulatory
performance of IT
compliance

ensure the delivery

of IT value
IT Governance
Frameworks
IT Governance Frameworks

• IT Infrastructure Library • Control Objectives for • British Standard

Information and Related International
Technologies Organization for
Standardization
(ISO)/International
Electrotechnical
Commission (IEC) 27002

ISO/IEC
ITIL COBIT
27002
ITIL
• Formerly Information Technology Infrastructure Library
• Developed by UK Cabinet Office of Governance Commerce (OGC) as a
library of best practice processes for IT service management.
• A set of detailed practice for IT activities such as IT Service
Management (ITSM) and IT Asset Management (ITAM) that focus on
aligning IT services with the needs of business
• IT Service management environment effectively and efficiently deliver
business services to end users and customers
ITIL Five Core Guidelines

Continuous
Strategy Design Transition Operation
Improvement

Guidelines or best
Best practice
Guidelines or best practice processes
processes (or Aims at managing Constantly looks
practice processes put in place to
requirements) change, risk, and for ways to
to map the IT maintain adequate
implemented to quality assurance improve the
strategy with and effective IT
guide toward a during the overall process
overall business services once
solution designed deployment of an and service
goals and implemented into
to meet business IT service provision
objectives the production
needs
environment
ITIL
• The ITIL Framework should be chosen when the goal of the
organization is to improve the quality of IT management services.
• The ITIL framework assists organizations in creating IT services that
can effectively help manage the daily tasks , particularly when the
focus is on either customer or end-user
COBIT
• An IT Governance framework that helps organizations meet today’s
business challenges in the areas of
• regulatory compliance
• risk management, and
• Alignment of the IT strategy with organization goals
• An authoritative, international set of generally accepted IT practices
or control objectives, designed to help employees, managers,
executives, and auditors in understanding IT systems, discharging
fiduciary responsibilities, and deciding adequate levels of security and
controls
COBIT5 Principles

Meeting stakeholder needs

Covering the enterprise end to end
Applying a single integrated framework
Enabling a holistic approach
Separating governance from management
COBIT
• Framework is valuable for all size types organizations, including
commercial, not-for-profit, or in the public sector
• Provides a set of control objectives that not only helps IT
management and governance professional manage their IT
operations but also IT auditors in the quests for examining those
objectives
• Selection of COBIT may be appropriate when the goal of the
organization is not only to understand and alight IT and business
objectives but also to address the areas of regulatory compliance and
risk management
ISO/IEC 27002
• A global standard (used together with ISO/IEC 27001 framework) that
provides best practice recommendations related to the management
of information security
• Applies to those in charge of initiating, implementing and/or
maintaining information security management systems
• Assists in implementing commonly accepted information security
controls and procedures
ISO/IEC 27002

Includes techniques that help organization secure their information assets

Includes security techniques related to:

• Requirements for establishing, implementing, maintaining, assessing, and continually improving an information
security management system within the context of the organization. These requirements are generic and are
intended to be applicable to all organizations, regardless of type, size, or nature. (ISO/IEC 27001:2013)
• Guidance for information security management system implementation. (ISO/IEC DIS 27003)
• Guidelines for implementing information security management (i.e., initiating, implementing, maintaining, and
improving information security) for inter-sector and inter-organizational communications. (ISO/IEC 27010:2015)
• ISO/IEC 27013:2015. Guidance on the integrated implementation of an information security management system,
as specified in ISO/IEC 27001, and a service management system, as specified in ISO/IEC 20000-1.
ISO/IEC 27002
• Assist organizations to manage the security of assets, including, but
not limited to, financial information, intellectual property, employee
details or information entrusted by third parties.
• Purpose is to help organizations select proper security measures by
utilizing available domains of security controls. Each domain specifies
control objectives that provides further guidance on how
organizations may attempt to implement the framework.
• The ISO/IEC 27002 framework should be chosen when IT senior
management (i.e., CIO) targets an information security architecture
that provides generic security measures to comply with federal laws
and regulations.
A Joint Framework
• ITIL, COBIT, and the ISO/IEC 27002 are all best-practice IT-related
frameworks to regulatory and corporate governance compliance.
• Challenge is to implement an integrated framework that draws on
these three standards.
• The Joint Framework, put together by the IT Governance Institute
(ITGI) and the OGC, is a significant step leading into such direction.
A Joint Framework

implement a
get ready for
single, integrated,
meet the external
compliance
regulatory certification to ISO
method that
requirements of 27001 and ISO
delivers corporate
data and privacy- 20000, both of
governance
related regulation which demonstrate
general control
compliance.
objectives;
A Joint Framework
• Implementing a joint framework leads organizations toward effective
regulatory compliance and improves their competitiveness.
• Implementation of the frameworks just discussed is paramount in
addressing relevant areas within the IT field.
• Of equal importance is the establishment of metrics to measure IT
performance. These metrics should not only be in place but also
regularly assessed for consistency with the goals and objectives of the
organization.
IT Performance
Metrics
IT Performance Metrics
• Both organization and IT management must be in full support
• Areas to be measured should be closely aligned to the objectives of
the organization
• Critical metric set – the few key metrics that are critical to the
successful management of the function should be identified and
applied to the environment
Steps in Setting IT Performance Metrics

Area to be
measured must
help in the
1 2 3 4 5 development
of metrics

Measures are
applied to
Identify the critical Develop and Show the results Identify other areas Present results in a events and
process, never
metric set implement the initial that can be measured format that is easy to to individuals
measurements from and provide reports on understand
the critical metric set these areas

Effective Measures
Reliable and Valid
IT Balanced Scorecard
• Is our current IT investment plan consistent with the organization’s
strategic goals and objectives?
• Was the IT application just developed a success?
• Was it implemented effectively and efficiently?
• Is our IT department adding value to the organization?
• Should our current IT services be outsourced to third parties?
IT Balanced Scorecard
• Provides an overall picture of IT performance aligned to the
objectives of the organization. It specifically measures and evaluates
IT-related activities (e.g., IT application projects, functions performed
by the IT department, etc.) from various perspectives
• Perspectives are then translated into corresponding metrics that
reconcile with the organization’s mission and strategic objectives.
• Results from the metrics are assessed for adequacy against target
values and/or organization initiatives
• Should be periodically revised for adequacy by management
personnel.
IT Balanced Scorecard Perspectives

IT-Generated
Future
Business
Orientation
Value

Operation
End-User
Efficiency
Service
and
Satisfaction
Effectiveness
IT Generated Business Value

IT provides value through delivering IT projects deliver business value by IT services deliver value by being
successful projects and keeping automatic business processes available for the organization as
operations running needed
IT Generated Business Value
Sample Metrics
• There may be a perception that IT costs are growing without the
recognition that business costs should be dropping or revenue growing by
a greater margin
• Metrics to measure business value may address the functions of the IT
department, value generated by IT projects, management of IT
investments, sales made to outsiders or third parties.
• These metrics may include:
• percentage of resources devoted to strategic projects
• perceived relationship between IT management and senior-level management
• computation of traditional financial evaluation methods (e.g., ROI, payback period)
• actual vs budgeted expenses
• percentages over/under overall IT budget
• revenues from IT-related services and/or products
Future Orientation
• Future orientation is concerned with positioning IT for the future by
focusing on the following objectives:
• training and educating IT personnel for future IT challenges;
• improving service capabilities;
• staffing management effectiveness;
• enhancing enterprise architecture; and
• researching for emerging technologies and their potential value to the
organization.
Future Orientation
Sample Metrics

Continuously improving IT skills through education, training, and development.

Delivering internal projects consistent to plan.

Staffing metrics by function (e.g., using utilization/billable ratios, voluntary turnover by performance level, etc.).

Developing and approving an enterprise architecture plan, and adherence to its standards.

Conducting relevant research on newly-emerging technologies and their suitability for the organization.
Operational Efficiency and Effectiveness
• Focuses on the internal processes in place to deliver IT products and
services in an efficient and effective manner.
• Internal operations may be assessed by measuring and evaluating IT
processes in areas, such as quality, responsiveness, security, and
safety, among others.
• Other processes to be considered may include hardware and software
supply and support, problem management, management of IT
personnel, and the effectiveness and efficiency of current
communication channels.
• Metrics here can yield productivity information about the
performance of technologies and of specific personnel.
End-User Service Satisfaction
• The end-user, for IT purposes, may be internal personnel or external (e.g., users
accessing inter-organizational IT systems or services, etc.). From an end-user’s
perspective, the value of IT will be based on whether their jobs are completed timely and
accurately.
• A mission for this perspective would be to deliver value-adding products and services to
end-users. Related objectives would include maintaining acceptable levels of customer
satisfaction, partnerships between IT and business, application development
performance, and service-level performance.
• Metrics used to measure the objectives should focus on three areas:
• being the preferred supplier for applications and operations
• establishing and maintaining relationship with the user community
• satisfying end-user needs
• It would be necessary for IT personnel to establish and maintain positive relationships
with the user community in order to understand and anticipate their needs.
Have both senior management and IT management on board from the start; make
them aware with the concept of the IBS.

Coordinate the collection and analysis of data related to:

• corporate strategy and objectives (e.g., business strategy, IT strategy, company mission, company
specific goals, etc.);

Steps in • traditional business evaluation metrics and methods (e.g., ROI, payback period, etc.) currently
implemented for IT performance measurement;
• potential metrics applicable to the four IBS perspectives.

Building an IT Define the company-specific objectives and goals of the IT department or functional
area from each of the four perspectives.

Balanced Develop a preliminary IBS based on the defined objectives and goals of the
organization and the data outlined in the previous steps.

Scorecard Request revisions, comments, and feedback from management after revising the IBS.

Have the IBS formally approved and ready to be used by the organization.

Communicate the IBS development process and its underlying rationale to all
stakeholders.
Regulatory
Compliance
and Internal
Controls
Issues in Regulatory Compliance and Internal
Controls
• One of the key processes that organizations need to manage
• Might need a dedicated team to sift through all financial, security,
privacy and industry-specific regulatory requirements to determine
the impact on processes and information systems
• Satisfied with the implementation of the controls outlined in COBIT
• SOX of 2002 and other tools can help organization identify laws and
regulations and track the control process implemented to address
them
IT Strategy
IT Strategy
• IT has become the critical ingredient in business strategies as both
enabler and enhancer of the organization’s goals and objectives
• Strategy
• An important first step toward meeting the challenging and changing business
environment
• A formal vision to guide in the acquisition, allocation, and management of
resources to fulfill the organizations objectives
• IT strategy or IT strategic plan formally guides the acquisition,
allocation and management of IT resources consistent with the goals
and objectives of the organization
IT Steering Committee
• Composed of decision makers from the various constituencies in the
organization to resolve conflicting priorities. The members should be senior
management and the CIO.
• Responsible for determining the overall IT investment strategy, ensuring
that IT investments are aligned with business priorities and that IT and
business resources are available to enable IT to deliver upon its
expectations
• Help ensure integration of the business and the IT strategic plan.
• Facilitates the integration of business and technology strategies, plans, and
operations by employing the principles of joint ownership, teamwork,
accountability, and understanding of major projects.
Reviewing business Prioritizing major Developing
and technology development communication
strategies and plans. projects. strategies.

IT Steering
Reviewing Providing business Monitoring status,
Committee development and decisions on major schedule, and
implementation plans design issues for all milestones for all
Tasks for all major projects. major projects. major projects.

Reviewing and Resolving conflicts

approving major Reviewing project between business
change requests for budgets and ROIs. and technology
all major projects. groups.

Monitoring business
benefits during and
after implementation
of major projects.
Communication
• Effective communication is critical to coordinate the efforts of internal and
external resources to accomplish the organization’s goals.
• Communication should occur at multiple levels, starting by having internal
weekly staff meetings. This should cover the employees within the
department.
• Communication should also takes place via town hall meetings, which are
typically attended by (and addressed to) all employees in the organization.
• Communication between IT and the organization, particularly of matters
such as IT strategy, goals, etc., should be timely and consistent.
• Communication should also include all (external) business partners and
customers related to the organization.
Operational Planning
• Once there is an understanding of the organization’s objectives and IT
strategy, that strategy needs to be translated into operating plans
(also called operationalization).
• The annual operating planning process includes setting the top
priorities for the overall IT function as well as for individual IT
departments, including developing their annual budget, creating
resource and capacity plans, and preparing individual performance
plans for all IT staff.
• Operating plans will also identify and schedule the IT projects that will
be initiated and the IT service levels expected. Delivery of these plans
should be controlled by a series of governance processes.
Demand management

• Requirements and business case approved by management

• Technology costs approved by IT

Operational Project initiation

Planning • Capacity and service levels approved by management

• Technology and resources approved by IT

Governance Technical review

Processes • Solution design approved by management

• Technical design approved by IT

Procurement and vendor management

• Requirements and solution approved by management

• Technology vendors approved by IT

Financial management

• Scope, schedule and budget approved by management and IT

• Progress is monitored by management and IT
Demand Management
• A demand management process can help ensure that resources are devoted to
projects that have a strong business case and also approved by senior
management.
• The demand management process helps ensure that senior management is on
board, and has provided conceptual approval to the project to proceed through
the initial requirements definition and conceptual design phases of the
development life cycle.
• A demand management process ensures that a project has business justification,
a business and IT sponsor, and a consistent approach for approving projects.
• A demand management process also ensures alignment of application and
infrastructure groups; that all project costs are identified to improve decision
making; that there are means to “weed out” nonessential projects; and that
means are identified to control IT capacity and spending.
Project Initiation
• Once a project with a strong business case has been approved, it should
undergo an initiation process that determines its total cost and benefit.
This is usually done by defining high-level business requirements and a
conceptual solution.
• Building a project estimate takes time and resources. It takes time from
business users to develop requirements and a business case. It also takes
time from software developers to develop a solution and cost estimates.
• After a project has conceptual approval, business users and software
programmers can work together to develop detailed requirements and
project estimates that will be used in the final business case and form the
basis for the project budget.
Technical Review
• The technical solution needs to be evaluated before moving forward to
ensure compliance with technology standards.
• A technical review process helps ensure that the right solution is selected,
that it integrates effectively with other components of technology (e.g.,
network, etc.), and that it can be supported with minimal investments in
infrastructure.
• One way to control technology solutions is to implement a Technical
Steering Committee (not to be confused with an IT Steering Committee)
with representatives from the various technical disciplines and enterprise
architects.
• A Technical Steering Committee provides a control mechanism for
evaluating and approving new technology solutions.
Technical feasibility

Alternative technologies
Technical
Architecture
Review
Assessment In-house skill compatibility

Existing environments/replacements

Implementation, licensing, and cost considerations

Research and analyst views

Vendor company profile and financial viability

Procurement and
Vendor Management
• Processes and procedures should be in place to define how the
procurement of IT resources, including people, hardware, software,
and other services will be performed.
• IT procurement involves strategic and administrative tasks, such as
defining requirements and specifications; performing the actual IT
service or resource acquisition (only after assessing and selecting the
appropriate vendor); and fulfilling contract requirements.
• Vendor selection usually involves the evaluation of three to five
vendors. The IT Steering Committee regularly evaluates IT vendors
and suppliers and makes the ultimate decision of which vendors or
suppliers to bring on board.
Financial Management
• In the financial management governance process, potential investments,
services, and asset portfolios are evaluated so that they get incorporated in
cost/benefit analyses and ultimately within the budget. IT budgeting, for
instance, considers existing IT products, resources, and services in order to assist
the planning of IT operations.
• Budgeting is a strategic planning tool (typically expressed in quantitative terms)
which aids in the monitoring of specific activities and events.
• Budgeting also provides forecasts and projections of income and expenses which
are used strategically for measuring financial activities and events.
• Budgets are useful to management when determining whether specific
revenues/costs activities are being controlled (i.e., revenues being higher than
budget estimates or costs being lower than estimated budget amounts).
• Budgets lead how organizations might perform financially, operationally, etc.
should certain strategies and/or events take place.
Conclusion

• IT governance establishes a fundamental basis for managing IT to deliver

value to the organization. Effective governance aligns IT to the
organization and establishes controls to measure meeting this objective.
• Three effective and best practice IT-related frameworks commonly used
by organizations are ITIL, COBIT, and ISO/IEC 27002.
• An example of a common tool to measure IT performance is the IBS. An
IBS provides an overall picture of IT performance aligned to the
objectives of the organization.
• Establishing effective controls in IT and ensuring regulatory compliance
is also a joint effort.
• A strategy is an important first step toward meeting the challenging and
changing business environment. An IT strategic plan is a formal vision to
guide in the acquisition, allocation, and management of IT resources to
fulfill the organization’s objectives.
• To ensure the effective use of resources and delivery of IT projects, as
well as proper alignment with business objectives, organizations employ
governance processes within their annual operating plan.
Questions?
End