Chapter 5
Implementing IT governance
“Look at types of tools that are coming out to support IT
governance – they only deal with risk in the development
environment. What’s the risk of a project going wrong?
They are not yet able to apply themselves to the operational
world, the world that transactions live in. To detect, to
measure success in any way.”
SPEAKER AT MANAGED OBJECTS ROUNDTABLE ENTITLED: IT GOVERNANCE:
THE ROLE OF MEASUREMENT AND METRIC.
Implementing a formal IT Governance regime, assuming that you have only adhoc or informal governance processes at present, involves (despite what some
vendors may tell you) a lot more than just buying some software – although once
you do have the required culture in place, tools can facilitate the initiative. A
first requirement is to align IT governance with corporate governance in general.
Think of this as high-level requirements gathering – what are the business governance issues that currently worry the Board and the company auditors, and what
questions would they like to ask or ‘more importantly, are they afraid to ask?
Try to talk in terms of business issues, not technical solutions, of being able to
demonstrate that the physical implementation of a bank’s money laundering
policy, for example, is tested against the policies discussed by the Board of Directors, not about implementing Model Driven Architecture and Applications
Lifecycle Management tools.
This discussion is only an input to your governance initiative. You can’t assume
that the Board’s concerns are the right concerns – because informal risk analysis
is often driven by media hype and by our tendency to concentrate on the most
recent crisis we experienced. After the IRA bombings in London, people moved
data centres down into the basement where they were safe from bombs but far
more vulnerable to flooding, which is far more likely to affect a building in London
than a bomb. Nevertheless, you’ll get no credit for your IT governance initiative if you can’t sensibly address the one question the CEO wants to ask, when
he wants to ask it (even if the answer goes on to suggest that he/she may be
asking the wrong question).
THOROGOOD PROFESSIONAL INSIGHTS
57
5 IMPLEMENTING IT GOVERNANCE
Obtain management sponsorship
The first essential for IT governance is informed top management sponsorship.
If management sends mixed messages – if it insists on good governance in practice
but pays performance bonuses to people who deliver systems faster by cutting
corners – people at the sharp end of IT will soon realize that only lip service to
good governance is required. However, since in this situation they will also realize
that this makes them ideal scapegoat material if something does go wrong, morale,
productivity and systems quality will fall, as a direct result of your governance
efforts.
There are three ‘metrics’ for management sponsorship of IT governance:
1.
The availability of a corporate IT governance plan, overseen by a
Governance Committee, with representation from IT professionals in
the IT Group and reporting at Board level. The names are immaterial,
the group could easily be called the IT Strategy Committee, say; what
is important is that IT governance issues can be raised at Board level
and that technically informed input to the discussion is available.
2.
An IT governance framework is implemented, typically with an
Internal Control department or some such group. What is important
is that governance can be policed proactively, not ‘after the fact’ as
an Audit Group would. Governance must not be seen as a barrier to
implementation but as an assistive process, which ensures that IT
systems get it right first time and contain no hidden surprises that will
excite the regulators down the track.
3.
Provision of a formal budget for the IT governance initiative. Without
a budget, which Internal Control can book time against and that can
be used for any tools and training that may be required, you really
don’t have a government initiative, no matter how much people talk
about governance.
IT governance methodology overview
You should take a process-based approach to governance, which is why process
initiatives like CMMI and ITIL® can be an important underpinning to IT governance. CMMI is about organizational maturity, the ability of an organization to
implement a process in pursuit of an objective, measure its consequences and
improve the process to better deliver against changing business objectives; ITIL®
is a collection of ‘best practice’ processes for managing IT infrastructure. If third
THOROGOOD PROFESSIONAL INSIGHTS
58
5 IMPLEMENTING IT GOVERNANCE
parties (such as regulators) question your IT governance in detail, it can be useful
to point to your maturity/capability as an indicator that your process can be effectively improved to address the questions raised. It is significant that Borland,
a vendor of Application Lifecycle Management tools has recently acquired the
CMMI and process consultancy, TeraQuest. Borland is implementing CMMI Level
3 (the adoption of managed process at the organizational level) internally and
will no doubt include process improvement on the CMMI model as part of its
Application Lifecycle Management offerings.
You should take a systems approach to governance. Your internal process is in
a state of dynamic equilibrium. Changing external threats and regulations provide
external stimuli, resulting in feedback through the Internal Control function to
management and the technicians in the IT Group, which results in changes to
the internal process that satisfy the new regulations or mitigate the new threats.
Separation of function keeps the whole process ‘honest’:
•
The Internal Control Group reports to the Board via the Governance
Committee – it is immune to local politics in the IT Group and in business
departments, and is focused on corporate strategy. Since it sets
requirements but isn’t responsible for systems delivery, it isn’t tempted
to interfere in technical matters that are properly the province of the
experts in the IT group.
•
The IT Group is presented with governance as, essentially, a systems
requirement. It isn’t tempted to compromise governance in the
interests of speedy or cheap delivery, because governance is part of
what it is delivering. At the same time, it is free to determine the most
effective technical solution to the business governance requirements
raised by the Internal Control function, without having possibly
inappropriate technical controls bolted on to completed systems, that
can easily introduce technical defects.
•
The Auditors report independently and confirm that the processes are
working by comparing practice against the agreed framework
everyone should be working to. If it is all working properly, the Auditors
should not find problems after the fact when they are expensive to
address because any problems should have been addressed proactively
during systems development/maintenance. However, if the process
is starting to fail, the Auditors should be able to proactively alert
management to the issue.
As with any other IT project, IT governance needs clear objectives and a budget
allocation; and a plan showing how these objectives will be achieved and how
THOROGOOD PROFESSIONAL INSIGHTS
59
5 IMPLEMENTING IT GOVERNANCE
the budget will be allocated. Implementation should be in stages, frequently delivering defined governance benefits, rather than a ‘big bang’ implementation
delivering perfect governance in one go years in the future – if the company
remains focused on the project that long. The stages in implementing an IT governance initiative from scratch would be, broadly (and in no particular order) as
follows:
1. Obtain buy-in on the ground
The impetus to good governance may be clear at Board level but the troops can
be surprisingly cynical about such initiatives. Too many of us have heard managers
talk about the best of practices – and seen them reward cowboys for rapid delivery
of systems which are full of problems for less charismatic workers to clear up,
for little reward or thanks.
Training is probably key to an organization demonstrating to its staff that it is
serious about governance – training in new tools, training in performance
management, so as to ensure that the possible overheads of governance don’t
impact on operational performance. In addition to training, experienced
(perhaps external) mentors who have a wide experience of IT generally and recognize, and know how to address, the more subtle governance issues, can be helpful
A governance forum, in which workers at the sharp end can discuss governance
issues and suggest solutions in public (far more useful than mutterings around
the water cooler about some technically infeasible governance edict), is a good
idea. However, you must make sure that you document the action points from
such a forum and show the community that the issues it identifies are at least
given proper consideration (this is process management through feedback). It
is also important that such a forum represents both the business and IT points
of view, with fully informed and empowered attendees. If it becomes a costfocused drag on innovation (e.g.: ‘our job is to find out where the IT department
wants to spend money and stop it’) such a forum can be counterproductive.
2. Map IT to the business
Generally, there is a ‘many to many’ relationship between business functions and
the IT infrastructure. A particular server, a computer storing both business data
and automated data processing systems, may support many business functions,
for example; conversely, a single business function may invoke many servers.
The best way to do this is with diagrams, but the relationships involved are too
complex for this to be done manually. In addition, there is a strong risk that such
THOROGOOD PROFESSIONAL INSIGHTS
60
5 IMPLEMENTING IT GOVERNANCE
maps will become out-of-step with reality. Business process analysis/management tools can provide a useful bridge between the world of IT and the world
of business, although there isn’t a lot of evidence that they’re being used for
this yet.
The best way to maintain such mappings is therefore with automated tools that
can generate the framework (at least) for automated systems from models relating
business processes to IT systems. Look for suites of systems development tools
(not necessarily from the same vendor) that support the entire development
lifecycle from business process modeling and requirements management, through
to coding and testing.
3. Implement policy-based security and identity management
There is a lot more to IT governance than security, but security is part of it. Good
security requires risk and threat analysis, to determine and prioritize the risks
facing the organization; and then formulation of a Security Policy, which
documents policies designed to mitigate, transfer (through insurance, say) or
accept (in conjunction with contingency plans) the various identified risks. Then
you can begin to design procedures that will implement the policies. Ideally, the
policies will be fairly generic, so that when changing technology or business
renders a procedure obsolete, the intent of the policy is clear and can direct the
formulation of a new procedure.
Good security is role based, as this aids maintenance. People in an organization have basic, restricted access as employees; then as they are given roles in
the organization, each role brings with it appropriate access permissions. If people
move roles within the organization, they lose permissions associated with one
role and gain those associated with another.
Identity management is related to security. It is all about identifying people
unambiguously and managing the attribution of identity to people seeking access
to your organization. It includes providing the facilities to enable the unambiguous
attribution of actions to identities, essential for audit trails and security. A large
part of IT governance comes from people taking responsibility for their actions.
Without identity management, your governance is built on sand.
In common with the general tenor of this report, a standards-based approach
to security is recommended, although you may not need to formally certify against
the standards. ISO/IEC 17799:2000 [StandDir, web] is becoming accepted worldwide as the code of practice for information security management, although
you can’t really certify against this, as it isn’t a specification you can assess against.
THOROGOOD PROFESSIONAL INSIGHTS
61
5 IMPLEMENTING IT GOVERNANCE
You also need BS7799-2:2002, the corresponding specification (which you can
certify against); and both are available as a package, with some extra material,
as the ISO 17799 Toolkit. ISO 17799 et al provides an excellent framework for
implementing security and ensures that you take a holistic approach, starting
with risk management (although it isn’t strong on the details of this) and covering
often-neglected areas such as business continuity. However, some form of
mentoring from an external security consultant is recommended too – it is difficult to make an unbiased assessment of risk and the threats facing you, from
inside an organization.
Tools to support IT risk assessment, implement ISO 17799 etc are available. Some
of these can be very useful but beware of concentrating only on those areas your
tools cover and neglecting business risk assessment as a whole: there is little
point in mitigating the IT risk affecting a system if the business risk is uncontrolled; and almost any IT security measures can be rendered ineffective if unhappy
or unjustly-treated staff can be compromised, or if physical access to the premises
and IT infrastructure isn’t effectively controlled. In the case of risk assessment
tools, in particular, investigate the provenance and localization of the threat
database that underlies their risk assessment facilities. A database relating to
US threats, say, may not be wholly appropriate in the UK, and a database that
is some years old may miss emerging threats (ideally, you should be able to add
threats from your own history to the database).
4. Implement BSM across all platforms
Business Service Management (BSM – see Chapter 4) means that you manage
your IT infrastructure in terms of the business services it implements. Managed
Objects claims to have invented the term [ManObj, web] but it is also associated with HP and BMC Software these days; and BMC’s Atrium CMDB, which
addresses the IT Infrastructure Library (ITIL®) requirement for a single, enterprise database to ensure data consistency and support integration across differing
service management processes may be a significant enabler for BSM.
Business Service Management is commonly taken to include Service Level Management, Incident and Problem Management, Infrastructure and Application
Management (including Licence Management), Service Impact and Event
Management, Asset Management and Discovery, Change and Configuration
Management, Capacity Management and Provisioning, and Identity Management. Some of these have been split out for special emphasis in the present chapter.
By its very nature, BSM must be cross-platform. Business users will not be happy
if business-friendly service level reporting and management stops abruptly when
THOROGOOD PROFESSIONAL INSIGHTS
62
5 IMPLEMENTING IT GOVERNANCE
their data strays onto the mainframe, for example. This is a serious governance
issue as discontinuities in the vocabulary and culture of service level management and security facilitate breakdowns in IT governance at that point.
5. Implement infrastructure management
Having a fully managed infrastructure based on an up-to-date and maintained
asset register is an essential part of IT governance. Even something as simple
as IT asset management is a vital part of IT governance. If you don’t know exactly
what hardware you have and exactly what software is running on it, how can
you claim any sort of IT governance? Software piracy is one area where organizations seem to be assumed guilty unless they can prove innocence, and the
consequences of a visit by the piracy police (disruption, confiscation, fines) can
be immense. Yet how effective can a plea that ‘we’re sure all our software is
licensed although we don’t know what software we have and where it is running’
be?
ITIL® is a good basis for infrastructure management, although it is probably
sufficient rather than necessary. As well as asset management, capacity
management and service level management, the Service Desk function and defect
tracking are typically part of an IT governance framework.
6. Implement configuration management
Configuration management involves the identification of the components of an
automated system that contribute to the service it delivers and the management
of changes to this configuration (including audit trails and facilities for backing
out of unsuccessful changes). Software change control (keeping track of
changes to software code as requirements change or defects are addressed) is
only part of configuration management.
Defect and problem tracking and service desk support are closely related to configuration management.
7. Implement business continuity management
The availability of IT systems is now critical to the operation of many businesses.
This makes Business Continuity Management (BCM) a vital part of IT governance (it’s also required by the ISO 17799 security standard). In fact, it should
be built in from the start by designing critical systems to be resilient. BCM is
non-trivial to do well and external consultancy may be attractive. It must be firmly
based on an objective assessment of risks (itself difficult unless you are an experi-
THOROGOOD PROFESSIONAL INSIGHTS
63
5 IMPLEMENTING IT GOVERNANCE
enced risk assessor), including risks the organization hasn’t encountered yet,
and deal with the spectrum of contingency from minor service interruptions to
a full-blown disaster that eliminates a data centre in its entirety.
It is important to ensure that IT governance is maintained sensibly (at a managed
level) during a contingency, as otherwise a contingency could be engineered
as an opportunity to steal data, compromise business transactions or financial
reports, or sabotage systems. A ‘whole systems’ approach to business continuity should be adopted. The non-availability of phones or a serious health and
safety issue can take out a business service just as effectively as a fire-damaged
computer.
8. Implement information lifecycle management
Electronic information can be as important and legally significant as paper
documents such as contracts formal and (potentially forged) instruments. The
courts will probably treat any email as an electronically signed document,
according to Stephen Mason, Barrister, speaking at SUNLive05 [SUNLive05, web]
in London. The regulations and laws affecting business information (see
Chapter 2) say that information must be available to answer auditors’ questions
in a timely manner, and its provenance must be capable of proof; but, as well
as this, some personal information must be destroyed securely when you no
longer need it. This means that you need a policy-based information lifecycle
management system (similar in purpose to document management systems in
the ‘real world’). This must be able to classify information, store it cost-effectively and securely (possibly with backup copies kept offsite), document its
creation, amendment and destruction, and securely audit the critical events in
the lifecycle.
9. Implement a systems development/acquisition process
If you build software, you must have a lifecycle development process (see Chapter
4) from business requirements analysis through to coding, testing and implementing systems (in fact, testing should start with validation of the requirements).
This is best implemented by training and mentoring, using tools to facilitate
desired practice. Simply mandating a development process does not work well.
If you don’t build software, you need a similar process for implanting packages.
You still need to analyze business requirements, in order to choose a package
which best fits your business process and in order to assess the impact of the
business process embodied in the package on your existing business process.
THOROGOOD PROFESSIONAL INSIGHTS
64
5 IMPLEMENTING IT GOVERNANCE
And, you still need to test package applications, in case they don’t do what they
say they will, or you implement them incorrectly. If you customize a package,
this is really a small systems development project and similar QA measures are
necessary.
10. Optimize processing
If you don’t have a great deal of IT governance, introducing full-blown governance and compliance measures can impact processing overheads – and,
therefore, the business (after implementing HIPAA in the States, data volumes
often increase by an order of magnitude or more). It is therefore vital to include
what Mercury Interactive calls ‘business technology optimization’ [Mercury, web]
in your governance program. Put crudely, satisfying the requirements of HIPAA
or Sarbanes-Oxley (or local equivalents) can increase, say, database accesses
by several orders of magnitude – and, doubtless, many database infrastructures
won’t be designed to cope with this. Unless you reassess and, possibly,
optimize performance, the immediate result of introducing IT governance may
be to impact business performance and, thus, the reputation of IT (and also badly
impact your career).
11. Implement problem management
Business Continuity is often thought of as disaster recovery, something standalone that you bring in after a disaster, such as the loss of a data centre in a fire.
This is obviously an aspect of IT governance, if the business depends on applications running in that data centre, but this is too limited a view (see Business
Continuity Management, BCM, above). Business continuity is also a function
of IT problem management.
The business needs to be isolated from IT problems: at one end, a significant
part of the IT infrastructure is lost and we talk of disaster recovery and BCM;
at the other end, a bug is encountered that affects the business or a small part
of the IT infrastructure (a single phone line perhaps) drops out and we talk about
problem or incident management and defect tracking. In the interests of good
IT governance, you should probably see this as a continuum: the impact of IT
issues on the business should be limited, well controlled and managed.
This is usually associated with a service desk function, which should aim for
pre-emptive identification and mitigation of emerging issues, ideally before they
have any impact on a business service. There are many sophisticated service
desk packages: BMC Remedy [Remedy, web], for example, or FrontRange’s HEAT
[HEAT, web].
THOROGOOD PROFESSIONAL INSIGHTS
65
5 IMPLEMENTING IT GOVERNANCE
12. Demonstrate ROI
At least one of the objectives behind any IT governance initiative is likely to be
to better run IT for the organization’s benefit. So, it is very good practice to instrument IT Governance systems and report business information so that IT
governance, and the ROI (Return on Investment) from the governance project,
can be demonstrated on a continuing basis.
Choose your metrics carefully – people tend to deliver what you measure, so if
you choose the wrong measures you may get the wrong results. Early attempts
to measure the quality of support staff, for instance, in terms of the number of
calls completed in a period resulted in a plethora of quick fixes and recurring
problems – because continual short-term fixes to the same problem made the
metrics look better. It might have been better to measure problems fixed without
recurrences and customer satisfaction rather than calls processed. After all,
provided it is accessible and servicing the calls it gets, the fewer calls a service
desk has to process, the more successful it is!
Look beyond a purely financial ROI. Good IT governance reduces risk, so it
increases business confidence and allows you to play in areas your competitors find too risky. It involves efficient provisioning, so new staff get up-to-speed
faster, and promotes a supportive IT environment, with fewer surprises, so staff
morale generally should improve. A ‘balanced scorecard’ [BalScore, web]
approach to measuring the impact of IT governance is probably appropriate.
It is always important to remember that IT governance is only a means to an
end. ‘Better IT governance’ is not really a useful objective; it is better to have
increasing the ‘bang per buck’ spent on IT as an objective (measured in business
terms), or widening your customer base in areas where good governance forms
part of the acceptance criteria, or even reducing the cost of regulatory compliance and controlling the risk of legal action. Nevertheless, be realistic. If your
improved IT governance allows you to win a lucrative contract in the health
industry, you can’t accrue the entire profit to your IT governance effort – it may
be an enabler, and this is a real non-financial ROI, but the final profit is mostly
down to the software or services you supply against the contract. Similarly, if
your improved governance makes you more efficient, you can’t claim the manhours saved as a benefit until you actually reduce headcount or redeploy people
onto productive work.
THOROGOOD PROFESSIONAL INSIGHTS
66
5 IMPLEMENTING IT GOVERNANCE
13. Reviews
Reviews of IT systems after changes have bedded in, in order to enable a ‘gap
analysis’ of the differences between aspiration and reality, followed by the scheduling of maintenance efforts aimed at reducing any gaps, is an important
characteristic of good IT governance. Sometimes, as with CMMI initiatives (see
Chapter 2), these reviews are part of a formal process but, regardless of how
you approach IT governance, there must be some sort of review and feedback
process. Change seems to be part of the nature of IT, so a static governance
system, however effective, is unlikely to stay effective for long.
In the next chapter we summarise the findings of the Report.
THOROGOOD PROFESSIONAL INSIGHTS
67