IT Governance: Organizing the Chaos

by Tripp Johnson

 

Happy New Year, GonzoBankers. Yes, we can all exhale as we made it through yet another year. The Christmas tree has been sitting by the curb for about two weeks, the house is rid of the pine needles (a fake tree tops the 2006 to-do list), and the kiddies have started school again. Now it’s back to the office.

Inhale. Faced with the proof of so many documented, incomplete projects in 2005, a feeling of nausea sets in and the thumping behind the eyeballs that had been suppressed for the past three weeks awakens. Forget that New Year’s resolution to give up the Big Gulp (46 oz.) coffee each morning. Only thirteen days into the New Year and the chaos of running a financial institution’s IT department is in overdrive.

At Gonzo HQ we hate to see this kind of suffering, especially when there are ways to alleviate the problem. A nice quick fix is to re-pack the briefcase, gather up the personal belongings, turn off the lights, and move to Belize. Unfortunately, not too many of us have the juevos to actually follow through with such a bold move. Another option is make 2006 the year to finally put into place a sustaining IT governance framework.

What is IT Governance?
IT governance is a hot topic these days but rarely does one find consistency in how it is defined. Like most topics in our industry, conference organizers and vendors have used the term IT governance as a catchall phrase covering how an IT group is structured and managed. Friends, the last time I checked that was called IT management, not governance. The Gonzo concept of IT governance looks at how decision rights and accountabilities are distributed and shared between business and IT management. IT governance is not about strict rules or bureaucratic processes, nor is it a way for IT to take control of the business – quite the opposite. IT governance is about bringing together business and IT management to enable faster and better decisions around technology investments, implementations, and utilization.

An IT Governance Framework
According to Forrester Research, implementing good IT governance requires a framework based on three major elements:

• Structure – who makes the decisions? What structural groups will be created, who will take part in these groups, and what responsibilities will they have?
• Process – how are IT investment decisions made? What are the decision-making processes for proposing investments, reviewing investments, approving investments, and prioritizing investments?
• Communication – how will the results of these processes and decisions be monitored, measured, and communicated? What mechanisms will be used to communicate IT investment decisions to the board, executive management, business management, IT management, employees, and shareholders?

Structuring IT Governance
Unfortunately, IT governance requires some form of structure to be effective. A bank can’t just say it is going to implement IT governance and presto! it happens.

Putting in place an IT Steering Committee is a necessary first step. This committee should consist of an IT leader, e.g. CIO, CTO, IT Director, and representatives from the lines of business. The chairperson of the committee should NOT be the person in charge of IT. For IT governance to take hold in an organization, business management must be accountable for setting IT priorities based on achieving business objectives. This is a very important point. If IT is seen as setting the priorities, it is doubtful the governance process will be adhered to by the business folks. Instead, this process will be viewed as just another way IT is trying to tell the business lines what they can and cannot do. A key to good IT governance is creating that elusive partnership between IT and business.

IT Governance Objectives
IT governance has four primary objectives: IT value and business alignment, risk management, performance measurement and accountability. Different organizations may define these objectives differently, but in some way each of these objectives should be addressed.

• IT value and business alignment – the primary goal of IT governance is to ensure alignment between IT investments and business objectives. IT delivers value to the business by enabling revenue growth, improved customer satisfaction, market share increases, cost reduction, and rapid deployment of new products and/or services to customers.
• Risk management – risks associated with IT in today’s world, more often than not, pose the same risks to the lines of business. IT risks include but are not limited to security risks, privacy risks, disaster recovery, and the risks associated with failed projects.
• Performance measurement – without keeping score, how is it possible to know whether IT investments are performing well or poorly? Yes, even IT governance needs some type of scorecard.
• Accountability – just being responsible for something doesn’t cut it anymore. In the age of Sarbanes-Oxley, accountability is the name of the game. Effective IT governance holds IT management and business management accountable for technology investment returns. No more finger pointing here, both IT and business must have skin in the game.

IT Governance Frameworks
Before reinventing the wheel on an IT governance framework (that is, if it’s decided some governance is needed), there are a couple of existing IT governance frameworks that can provide a great starting point. Admittedly, many companies find it is best to use pieces of the following frameworks combined with their own components, as no two company’s cultures are the same and getting acceptance within an organization usually takes some customization.

COBIT
Control Objectives for Information and related Technologies (COBIT) was developed in 1996 by the Information Systems Audit and Control Association and is now issued and maintained by the IT Governance Institute as a framework for providing control mechanisms over the IT domain.

COBIT compiles a set of generally accepted control objectives for day-to-day use by business managers and IT managers. COBIT addresses IT governance and key performance indicators associated with process improvement.

At the core of COBIT are 34 high-level control objectives that are grouped into four primary domains: planning and organization, acquisition and implementation, delivery and support, and monitoring. Then, for the non-weak at heart, COBIT consists of another 318 detailed control objectives that correspond to the 34 high-level control objectives. COBIT can be beneficial to an organization that simply stays at the 34 high-level objective layers; even the tried and true can get lost when entering the 318 detailed objectives layer.

ITIL
The IT Infrastructure Library (ITIL), initially developed in the United Kingdom by the Office of Government Commerce, is gaining ground in the global IT community as a solid IT governance framework. The ITIL library consists of eight books: Planning to Implement Service Management, Software Assessment Management, Service Support, Service Delivery, Security Management, Application Management, ICT Infrastructure Management, and The Business Perspective.

ITIL defines the processes to be implemented to deliver and support IT services focusing on the business. The ITIL philosophy revolves around the service desk as a communication platform.

Strength and Weaknesses

• COBIT – is focused on controls and metrics. It lacks a security component but provides a more global view of IT processes at the CIO level.
• ITIL – is strong on delivery and support processes. It describes how to structure operational processes but is weak on security controls.

Organize the Chaos
GonzoBankers should not spend too much time trying to figure out which of the aforementioned frameworks will work best in their organizations. Instead, they should take only the components they clearly understand and add to them if necessary.

Effective IT governance is the silver bullet that many IT managers have been searching for their entire careers. Many bankers may think spending time on governance is a waste and will only add complexity. Trust me, the only way to ever make IT life less complex and day-to-day operations simpler is to implement some form of IT governance.

On the other hand, if you do decide to pack it up and go to Belize, give me a call. I know a great little bar down there.

Good luck,
-tj