Forr Tel IT Governance Frameworks Craig Symons Principal

Forr. Tel: IT Governance Frameworks Craig Symons Principal Analyst Forrester Research June 21, 2005. Call in at 12: 55 p. m. Eastern Time

Theme IT alignment and value are derived from good IT governance

Agenda • IT governance defined • An IT governance maturity model • Structural issues to consider • The four dimensions of IT governance • Existing frameworks • The three pillars of IT governance • Recommendations

Definition ► IT governance is the process by which decisions are made around IT investments. How these decisions are made, who makes the decisions, who is held accountable, and how the results of the decisions are measured and monitored are all parts of IT governance.

IT governance vs. enterprise governance Enterprise governance Governing for constraints Governing for success Accountability fiduciary responsibility Wealth/value creation sustainability Conformance/compliance Performance/results

The five decision types IT governance IT principles IT architecture These are highlevel statements about how IT is used in the business Defining integration and standardization requirements Source: Forrester Research, Inc. IT infrastructure strategies Determining shared and enabling services Business application needs IT investment Specifying the business need for purchased or internally developed IT applications Choosing which initiatives to fund and how much to spend

IT governance maturity model IV III II I Best practices At the fourth level of maturity, IT governance processes are fully evolved and optimized across the enterprise. A strong IT portfolio management process is in place to ensure that all IT investment decisions are optimized; the CEO and executive team are active participants in the governance process; and IT strategy is part of the enterprise strategy. Consistent At the third level of maturity, IT governance processes have been consistently applied across the enterprise. All business units/entities conform to the same set of IT governance processes. IT investment decisions are based on the enterprise view. Fragmented There is an attempt to formalize IT governance processes but on a fragmented basis. These formalized processes may exist in one or more business units and IT decisions within those business units may be optimized, but there is no enterprisewide effort to coordinate investment decisions or examine tradeoffs between business units or enterprise-wide investments versus BU investments. Ad hoc There are no formal IT governance processes, and it's not recognized by management as being a necessity. IT investments are made on a completely ad hoc basis. This scenario is almost always found in highly decentralized organizations, but it is not limited to them. Source: Forrester Research, Inc.

Structural issues to consider Project based All IT resources are centralized under a single reporting structure with centralized resource allocation (staffing). The organizational structure is built around resource pools. Line managers are replaced by resource managers. Federated IT takes on a hybrid structure. A centralized IT organization supports all infrastructure and enterprise-wide applications, usually in a shared services environment. Individual business units maintain their own applications development organizations and budgets for business unit specific systems. Decentralized IT is decentralized by business unit, operating group, subsidiary, or geography. Each of these entities has its own CIO, IT organization, and IT budget. There is little or no attempt to coordinate across units or with corporate. Corporate IT supports the corporate HQ staff and perhaps some enterprise-wide applications. Centralized IT is centralized under a single Enterprise CIO. All IT systems and budgets reside at the corporate level. Source: Forrester Research, Inc.

The four dimensions of IT governance IT value and alignment Accountability IT governance Risk management Source: Forrester Research, Inc. Performance management

Existing frameworks • COBIT • ITIL • ISO 17799

COBIT Source: Forrester Research, Inc.

ITIL T h e B u s i n e s s Planning to implement service management ICT infrastructure T management e The Service c business support h perspective n Service o delivery l Security o management g Application management y Source: ITIL Service mgmt T h e

ISO 17799 1. Business continuity planning 2. System access control 3. System development and maintenance 4. Physical and environmental security 5. Compliance 6. Personal security 7. Security organization 8. Computer and operations management 9. Asset classification and control 10. Security policy

The three pillars of IT governance Governance structures Governance processes Governance communications

Governance structures • Reporting relationships » CIO reports to CEO • Governance specific positions » IT governance officer » IT relationship managers • Committees » IT steering committees » IT architecture and standards committees

Governance processes • IT portfolio management • Service level agreements (SLAs) • Chargeback mechanisms • Demand management

Governance communication • IT balanced scorecard • IT portal • Annual report

Recommendations • Perform a governance maturity assessment • Understand the structural/cultural issues • Obtain executive buy-in • Develop the governance structures first • Develop processes next • Don’t start from scratch • Communicate, communicate

Thank you Craig Symons csymons@forrester. com www. forrester. com Entire contents © 2005 Forrester Research, Inc. All rights reserved.