YITGC Getting IT Organizational Design Right

Cobit's control objective PO4.5, IT Organizational Structure is both innocent looking, yet extremely powerful.  It is part of “Define the IT Process, Organization, and Relationships” PO4.  We have all been part of organizations that have organizational structures aligned to their strategy and of those that are misaligned.  Sadly, many of us have also experienced botched organizational design transitions. 

In this podcast I cover the levers that need to be considered when re-aligning an organizations, and the things that need to be kept in mind to make the journey to the new organizational design a successful one. 

Do you want to learn more about this topic? Please listen to this PodCast now by clicking this link.  If you are reading this in the blog, you may also subscribe to it and automatically get future releases for free by clicking the iTunes or RSS orange buttons on the left column.

What has Changed in CobiT 4.1?

This month the IT Governance Institute published the next version of Cobit, Cobit 4.1. According to information published by ISACA, "COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.

COBIT 4.1 can be used to enhance work already done based upon earlier versions; it does not invalidate that previous work. When major activities are planned for IT governance initiatives, or when an overhaul of the enterprise control framework is anticipated, it is recommended to start fresh with the most recent version of COBIT."

I have only started to look at the new version in detail this week, but it does not look like they made major changes emanating from changes in philosophy. Overall, they made changes that help to more clearly and succinctly convey concepts, and to consolidate material that was unnecessarily divided. For example, under AI5, "Procure IT Resources" they consolidated control objectives AI5.4 (Software Acquisition), AI5.5 (Acquisition of Development Resources), and AI5.6 (Acquisition of Infrastructure, Facilities, and Related Services) into one control objective, AI5.4 (IT Resources Acquisition: Protect and enforce the organization's interests in all acquisition contractual agreements, including the rights and obligations of all parties in the contractual terms for the acquisition of software, development resources, infrastructure and services.) They similarly changed I7.9, AI7.10 and AI7.11 by combining them with AI7.8. They also revised ME3 to include compliance with contractual requirements in addition to legal and regulatory requirements.

I have found valuable how they expanded the explanation and graphics associated with the use of IT goals and metrics within the Framework section and the rework and graphics associated with application controls such as completeness, accuracy, validity, authorization, and segregation of duties.

Technorati Tags: CobiT

Improvements to CobiT and ITIL

From NetworkWorld article "Industry improves upon best practice frameworks" by Denise Dubie:

"The rate of change in today's enterprise companies demands even best-practice frameworks evolve to keep up with business needs.

That is the thinking behind updates to process guidelines within the IT Infrastructure Library (ITIL) and last week's update to the Control Objectives for Information and related Technology, or COBIT.

The creators of ITIL will later this month reveal updates to the set of best practices around IT service management and delivery. In fact, ITIL Version 3 is expected to provide more prescriptive advice based on real-world use scenarios of the best practice framework, yet remain vendor agnostic.

The IT Governance Institute (ITGI) last week published COBIT 4.1, an incremental update to the IT governance framework which "ensures that IT is aligned with business goals, its resources are used responsibly and its risks are managed appropriately."

Among the updates in this release are enhanced performance measurement, improved control objectives and better alignment of business and IT goals, ITGI officials say.

“COBIT is the only management framework that addresses the complete life cycle of IT investment. The framework supports IT’s achievement of business objectives, ensures business IT alignment, and improves IT efficiency and effectiveness,” said Roger Debreceny, chair of ITGI’s COBIT Steering Committee, in a press release. “COBIT 4.1 is built upon practical guidance from managers around the world who use the framework to improve IT governance in their organizations, so it has been road tested and validated.” "

Technorati Tags: CobiT, ITIL

Corporate Boards Not Devoting Enough Time to IT Topics

According to a Deloitte study, "The Board and Information Technology Strategies" only 11% of the boards discuss IT governance at every meeting. Shocking? Not to me. There are many other corporate assets such as intellectual property and human resources to govern, IT is only one of them. I'd rather have them have quality conversations and effective decision making when they do meet about IT. There's something else I found interesting about the study described in the "Boards Should Walk the IT Strategy Talk" article written by Margaret Locher yesterday in CIO Magazine.

The study found that "Twenty-two percent of the 455 respondents, all directors of companies with revenue of $1 billion or more, said that they blame IT strategy for the companies' inability to achieve its goals. But they don't plan to work toward improving the strategy: 52 percent said their board won't spend any more time on IT over the next three years than it does now."

22% believe their company did not achieve their goals because of IT? I find it interesting that the problem given was "IT's strategy," and not the corporation's strategy to exploit the use of technology. What is then shocking is that after stating that the main problem was a deficient IT strategy they said they were not going to increase the attention they gave to IT topics. Does that make sense? The definition for IT governance found in CobiT begins with "IT governance is the responsibility of executives and the board of directors, and..."

Governance is all about choosing what decisions matter most to an organization and then ensuring those decisions can be made effectively and efficiently to achieve corporate goals. The 22% of the board directors who singled out IT for adversely impacting their company had the accountability to ensure there was a good integration of business unit and IT strategies and to ensure adequate monitoring was in place to carry out those strategies. Does the CIO and others deserve some blame? More than likely, but accountability for IT governance begins with the board.

Technorati Tags: CobiT, IT Governance

YITGC Implementing CobiT: Where to start?

The most common question I get is "We want to implement CobiT, but where do we start?"  First, implementing CobiT is the wrong strategic objective.  Improving IT governance, while taking advantage of the CobiT framework is a better approach.  CobiT, as wonderful of a framework as it is, is only a means to an end. So where do we start?  By identifying the most important IT governance decisions based specifically on the company's strategy and on the IT areas in trouble. Looking at the IT governance decisions that many other companies find critical may be a start.

In general, the following IT governance decisions have been found by many organizations completing benchmarks through ISACA's database to be the most important:

• Do we have a clear and compelling It strategy? (CobiT PO1)
• Are we appropriately assessing and managing IT risks? (CobiT PO9)
• How are we going to manage projects? (CobiT PO10)
• How do we effectively and efficiently manage changes? (CobiT AI6)
• Are we ensuring system security? (CobiT DS5)
• Are we adequately protecting valuable business data? (CobiT DS11)
• How do we monitor and evaluate IT’s performance? (CobiT ME1)
• Are we compliant to regulatory requirements? (CobiT ME3)
• Is there an effective IT governance in place? (CobiT ME4)

Do you want to learn more about this topic? Please listen to this PodCast now by clicking this link.  If you are reading this in the blog, you may also subscribe to it and automatically get future releases for free by clicking the iTunes or RSS orange buttons on the left column.

Good Practices in IT Portfolio Management

IT Portfolio Management fall within CobiT's process PO5: Effectively Manage IT Investments. CobiT defines this process as "Establish and maintain a framework to manage IT-enabled investment programs that encompasses cost, benefits, prioritization within budget, a formal budgeting process and management against the budget."

I mention good practices for Portfolio Management Versus best practices because there are many ways to do this and many companies have different cultures so this is not one process where we can apply a cookie cutter approach. Based on my experience and research I would offer the following as a list of good practices for an effective IT portfolio management governance process:

• Decisions of what project is worth doing and where in a prioritization grid it falls are made by business partners according to well defined decision structures and rights.
• Project ideas are in alignment with a roadmap of strategic business capabilities.
• There is a target portfolio mix describing how assets should be allocated. All projects and candidates are categorized accordingly and the desired versus actual mix is analyzed.
• The criteria for assessing the value of a project candidate is defined and agreed upon. The level of analytical complexity and precision matches the company culture. The value should include monetary and non-monetary benefits and costs.
• The criteria for assessing the risks of a project candidate is defined and agreed upon.
• The decision criteria, including hurdle levels, is defined and agreed upon. I suggest that decisions be made based on how candidates fall on a value versus risk matrix.
• Decisions are made in context of the whole portfolio and not in isolation.
• Resource capacity management and forecasting is in control, since this is typically the Achilles' heel for portfolio management.
• Value realization is captured and reported after project completion.

We can definitely spend time exploring in depth each one of these practices, but I hope this list helps.

Technorati Tags: CobiT, IT Portfolio Management

IT Governance and CobiT Trainning

My consulting firm, itValue Consulting, will be offering training on IT Governance and CobiT on May 8-10, 2007 in beautiful Estes Park Colorado.

Many companies are beginning to realize the value of having a mature and effective IT governance in place. How valuable is governance? As valuable to the business as the entire outcome of a company's IT strategy. You have heard that life is nothing more the cumulative effect of thousands of small decisions. The same is true with strategy. Strategy comes alive and is executed through thousands of decisions made by hundreds or thousands of employees, contractors, and outsourcing employees. Only an effective governance assures that those decisions will actually advance or sustain the strategy. So how important is IT governance? As important as IT's value proposition.

This workshop combines the sharing and gaining of knowledge with consulting to actually apply the concepts right there and then to real life scenarios brought in by the attendees. At the end of itValue Consulting’s 3-day IT governance implementation training, participants will be able to:

• Fully understand the business value of a mature and effective IT governance.
• Assess the maturity of their organization’s IT governance and the capabilities needed to implement and execute an effective governance.
• Use the Decisions@Core framework to guide IT governance implementation.
• Better understand processes and controls of CobiT and its practical use in governance implementation.
• Use a tool to assess and prioritize barriers to governance implementation.
• Develop a high level governance implementation plan, including an organizational change management plan, targeted specifically to their organization.

The location, Peaceful Valley Ranch, is great because it combines the inspiring scenery of the Rocky Mountains, the fantastic food and hospitality of the staff, and state of the art learning facilities.

Contact itValue Consulting to register now.

Technorati Tags: CobiT, IT Governance

IIBA Central Indiana Chapter

On February 13, 2007 I will be speaking at the meeting of the central Indiana chapter of the International Institute of Business Analysis (IIBA), so I hope to see many of the local readers of this blog there. The topic of the presentation is "Becoming More Strategic as a Business Analyst."

About The Presentation
Much of the focus of business analysts is at the project level and rightly so. They add a lot of value helping elicit and document business needs and help develop solutions for those business needs. In the presentation I will challenge business analysts to think more strategically. The more they understand enterprise strategy, the better they will be able to connect the business needs of their "constituents" with those of the organization at large. Also, the solutions are more likely to be aligned with an enterprise architecture. Furthermore, the better business analysts understand frameworks for strategy and governance, the more likely they will be called to actually participate or even facilitate the enterprise and IT strategies that will eventually lead to the formation of various projects.

The authors of the Business Analysis Body of Knowledge recognized this need. In fact, after a chapter introducing the Body of Knowledge, the book begins with "Enterprise Analysis." During the presentation we will cover frameworks for strategy and governance, including CobiT, we will talk about how to link project business needs with strategic needs, and how to help an organization increase the maturity of their strategy.

About the IIBA Central Indiana Chapter
This chapter has been in existence for only a few months, but it is already adding value to its rapidly growing membership. It's chapter goals are:

Raise the visibility of the Business Analyst role in the Indianapolis area
Learn more about Business Analysis best practices
Opportunity to influence and contribute to the profession
Contribute to the Body of Knowledge
Networking opportunities

Please visit their website, IIBACIC, for more information. If you are interested in professionally growing as a Business Analyst, I encourage you to join.

Technorati Tags: CobiT, IT Strategy

Can Cobit Help NASA?

I always find it interesting to read and think about governance issues in non-IT settings to see what we learn. I read a small article about the International Space Station this morning in a magazine called The Week and I couldn't help but think of governance and Cobit.

The station orbits 220 miles above Earth, is 40% complete, and when done it will be bigger than a US football field. It is managed by NASA and it is backed by a consortium of 16 countries including the European Union, Russia, Japan, Canada, and Brazil. It is estimated to be completed in 2010 (4 years later than planned) and at a cost of well over $200 Billion (more than double what was planned).

This is the paragraph that made me think of governance... "There have been disagreements over whose astronauts get to go, whose experiments get top priority, and who pays for what. Japan is angry because NASA dropped plans to install a Japanese-built centrifuge. The European Space Agency has complained that it is not getting enough return on its investment. Science experiments are sometimes duplicated, because nations push their own pet projects, even if they overlap with others. Unanticipated delays have strained budgets and bolstered critics who say the space station was flawed from its inception."

Does it sound like lack of strategic alignment? Lack of clarity of how portfolio management decisions will be made? Issues with resource management in terms of people and financial management? Poor coordination from a solution delivery perspective?

Just one more example about the importance of a good strategy, the criticality of having the necessary leadership to help people align and commit to it, and the importance of having an agreed decision making framework. Do you think they have invested in the relationship management that would allow people from many countries to work in an environment of trust?

Technorati Tags: IT Governance, IT Leadership, puppy

YITGC Improve IT Governance, Don't Implement COBIT

It is essential for organizations to have solid IT governance. However, implementing COBIT is the wrong approach to realizing that. Improve IT governance without implementing an industry-approved framework? Yes, focus on the business vision and the means to achieve that vision.

As IT leaders we have repeatedly failed to realize the amazing benefits that could be achieved when an organization works as an SEI CMM level 3 to 5 organization. There are well documented and statistically proven benefits of achieving SEI levels 3 to 5 in terms of ROI, reduction in number of shipped defects, lower maintenance costs, greater on time delivery, fewer abandoned projects etc. Yet, the last time I looked less than 25% of all organizations that even began implementing SEI CMM achieved levels 3-5.

The benefits of ITIL are also well documented in terms of improvement to the attainment of service levels, alignment wit business partners, reducing risk, and improving business continuity. Again, based on a CIO magazine survey from late 2005, only 11% had reached high levels of maturity, 30% had not done anything and the rest were planning or implementing. I’m afraid many will stay in this “implementing mode” until the efforts are abandoned. Let’s now talk about IT governance...

You May Listen to the Podcast: Download YITGC0602.mp3