A Thorogood Special Briefing IT Governance

A Thorogood Special Briefing
2nd edition
IT GOVERNANCE
Managing Information Technology
for Business
David Norfolk
Inside front cover
2nd Edition
IT GOVERNANCE
Managing Information Technology
for Business
David Norfolk
Thorogood Publishing Ltd

10-12 Rivington Street
Other Titles from

Thorogood Publishing
London EC2A 3DU

t: 020 7749 4748
f: 020 7729 6110
e: info@thorogoodpublishing.co.uk
w: www.thorogoodpublishing.co.uk
IT Contracts: Effective Negotiating

and Drafting
David Norfolk 2011
Rachel Burnett
Managing In-house Legal Services

Mark Prebble
All rights reserved. No part of this

publication may be reproduced,
stored in a retrieval system or
Retention of Title
transmitted in any form or by any
Susan Singleton
means, electronic, photocopying,

recording or otherwise, without the
prior permission of the publisher.
Strategy Implementation Through

Project Management
This Special Briefing is sold subject
Tony Grundy
way of trade or otherwise, be lent,
to the condition that it shall not, by

re-sold, hired out or otherwise
Legal Protection of Databases

Simon Chalton
circulated without the publishers

prior consent in any form of
binding or cover other than in
which it is published and without a
Software Contract Agreements

Robert Bond
similar condition including this

condition being imposed upon the
subsequent purchaser.
No responsibility for loss occasioned
Implementing E-procurement
to any person acting or refraining
Eric Evans and Maureen Reason
from action as a result of any

material in this publication can be
Email Legal Issues
accepted by the author or publisher.
Susan Singleton
A CIP catalogue record for this

Special discounts for bulk quantities
of Thorogood books are available to
corporations, institutions, associations and
other organisations. For more information
contact Thorogood by telephone on
020 7749 4748, by fax on 020 7729 6110, or
email us: info@thorogoodpublishing.co.uk
Special Briefing is available from the

British Library.
ISBN: 1-854187-45-7
978-185418745-1
Printed in Great Britain
by Marston Digital
THE AUTHOR
The author
David Norfolk BSc, MBCS, CITP, CEng, LRPS, joined Bloor Research as a Senior
Analyst for Development in 2007 and is now Practice Leader for Development
and Governance.
He has published research papers on Compuware Uniface, data integration, the
Artisan Studio software engineering tool, Capability and Maturity, Enterprise
Architecture and so on; and has spoken at many events (e.g. for the Intel software
community).
David is co-author, with Shirley Lacy, of a practitioner-focussed book on
Configuration Management, Configuration Management: Expert Guidance for
IT Service Managers and Practitioners, published by the BCS.
He first got interested in computers and programming quality in the 1970s,
working in the Research School of Chemistry at the Australian National University.
There he discovered that computers could deliver misleading answers, even when
programmed by very clever people, and was taught to program in FORTRAN.
He then worked in DBA and Operations Research for the Australian Public Service
in Canberra. Returning to the UK in 1982, David worked for Bank of America
and Swiss Bank Corporation, where he occupied positions in DBA, Systems
Development Method and Standards, Internal Control, Network Management,
Technology Risk and even Desktop Support. He was instrumental in introducing
a formal Systems Development Process for the Bank of America Global Banking
product in Croydon.
In 1992, David became disillusioned with the way people issues were being
handled in City IT and decided to start a new career as a professional writer
and analyst. Since then he has written for many of the major computer magazines
and various specialist titles around the world. He helped plan, document and
photograph the CMMI Made Practical conference at the IoD, London, in 2005
and has written many industry white papers and research reports.
He is past co-editor (and co-owner) of Application Development Advisor; is
currently Executive Editor for Croners IT Policies and Procedures product;
and was Associate Editor for the launch of Register Developer.
David has an honours degree in Chemistry and is a Chartered IT Professional,
has a somewhat rusty NetWare 5 CNE certification and is a full Member of the
A THOROGOOD SPECIAL BRIEFING
iii
I T G O V E R N A N C E M A N A G I N G I N F O R M AT I O N T E C H N O L O G Y F O R B U S I N E S S
British Computer Society (he is on the committee of the Configuration

Management Specialist Group). He has his own company, David Rhys Enterprises
Ltd, which he runs from his home in Chippenham, where his spare moments (if
any) are spent on semi-professional photography (he holds the Licentiate
distinction from the Royal Photographic Society (LRPS) and is working on the
Associateship), sailing and listening to music from classical through jazz to folk.
Read Davids blog, The Norfolk Punt, at
http://www.it-analysis.com/blogs/The_Norfolk_Punt/
iv
CONTENTS
Contents
MANAGEMENT OVERVIEW: DRIVERS FOR

IT GOVERNANCE
VII
Management issues in IT governance....................................................viii

Definition of IT governance.....................................................................viii
CONTEXT: CORPORATE GOVERNANCE
EXTERNAL PRESSURES: WHAT REGULATIONS?
The response to apparent governance failures ......................................10

Legislation affecting IT governance ........................................................13
General legislation with IT governance implications ............................21
ORGANISATIONAL IMPACT
25
Culture ........................................................................................................26
Organisational maturity ............................................................................27
Roles and responsibilities .........................................................................32
Practical experience of governance ........................................................34
THE IMPACT ON IT
39
Enterprise Architecture ............................................................................41

IT Governance Standards .........................................................................42
IT service management .............................................................................44
Lifecycle systems development process..................................................51
Management reporting: Telling a true story ..........................................57
Practical IT governance tools ...................................................................59
IMPLEMENTING IT GOVERNANCE
65
Obtain management sponsorship............................................................67

IT governance methodology overview....................................................68
CONCLUSIONS
77
APPENDIX
81
Resources....................................................................................................82
vi
M A N A G E M E N T O V E RV I E W: D R I V E R S F O R I T G O V E R N A N C E
Management overview:
Drivers for IT governance
Corporate scandals such as Enron and perceived issues such as storage of illegal
pornography on company servers, money laundering and terrorism have led to
a change in the way law is applied to limited companies. Increasingly, the buck
stops with the directors (including non-executive directors) of a company who
are held personally responsible for the actions of their companies and, in some
cases, face huge fines and possible imprisonment. There is no doubt that this
has increased Board-level interest in IT governance, as corporate fraud, use of
corporate resources for illegal purposes, sexual and racial harassment increasingly
occur in the digital domain. The latest legislation means that a director who turns
a blind eye towards what is going on in his or her computers and to what may
be stored on company servers will probably find that ignorance is no excuse.
However, although this has been an immediate driver, a moments reflection will
assure us that IT governance is a very positive thing for a company. Increasingly,
computers are mission critical; increasingly a company couldnt function without
its computers and much of the worth of a company resides in digital IP: intellectual
property in digital form. This includes not only digital documents but also company
knowledge embodied in the algorithms implemented in computer programs and
the models and repositories that are used to analyze and validate business
processes as part of software engineering generally.
If you are not in control of your IT resource, you are not in control of your company.
In the same way that your annual report is audited to ensure that it tells a true
story about your financial position, your computer systems must be audited to
show that they tell a true story in the management reports they provide, in the
databases they update and in the reports they send to your regulators.
Ultimately, you need to be a mature organisation with a measurement culture
you cant control what you cant measure. You must have well-defined
organisational goals, measure your progress towards these goals and apply
corrections feedback if you arent getting closer to these goals. This is
commonly accepted in business but a, largely unconscious, exception has
commonly been made in favour of the IT group. How do many organisations
truly measure the ROI (return on investment) from IT? How many organisations
accept IT projects that are late, over budget and wrong as the norm? How many
managers know what their IT staff actually do? How many organisations dont
vii
accurately know how many PCs they have and what programs run on them?
How many organisations dont have an overall picture of exactly what is stored
on their servers?
When the directors of such companies accept responsibility for what their
organisation does and how it does it, how can they do so with any confidence
at all? Such a state of affairs cannot be allowed to continue.
Management issues in IT governance
Providing an organisational structure that allows Board-level management to set strategic goals and cascade these through the organisation
down to the IT technicians implementing automated systems.
Aligning IT strategy with business strategy; perhaps, even, making

IT an integral part of the business.
Providing an effective communications infrastructure that enables twoway communication (feedback) between all the stakeholders in the
governance process, both internal and external.
Providing effective low-level enforcement of business-focused governance policies in the IT sphere.
Enabling the effective identification of IT-related risk in the context of

business service provision, and the translation of IT risk mitigation
measures into a business terminology.
Providing metrics for the effectiveness of IT governance.
Identifying a return on the investment in IT Governance in terms of

better, faster, cheaper business systems.
Definition of IT governance
IT Governance is that part of corporate governance in general which ensures
that automated systems contribute effectively to the business goals of an
organisation; that IT-related risk is adequately identified and managed (mitigated,
transferred or accepted); and that automated information systems (including
financial reporting and audit systems) provide a true picture of the operation
of the business.
viii
M A N A G E M E N T O V E RV I E W: D R I V E R S F O R I T G O V E R N A N C E
References
References in square brackets, e.g. [8th DirCons, web], refer to entries in the
Resources appendix, at the end of this Report.
ix
Chapter 1
Context: Corporate governance
Chapter 1
Context: Corporate governance
Modern capitalism the model to which virtually
the whole world now aspires is totally dependent
on high standards of governance.
GEORGE COX, ERSTWHILE DIRECTOR GENERAL OF THE INSTITUTE OF DIRECTORS
According to George Cox when he was Director General of the Institute of

Directors, in the Introduction to the directors guide to corporate governance
[IOD, 2004], Modern capitalism the model to which virtually the whole world
now aspires is totally dependent on high standards of governance.
What he means by governance is the overall and rigorous supervision of
company management so that business is done competently, with integrity and
with due regard for the interests of all stakeholders. And this is important, not
for altruistic reasons but because investors wouldnt buy shares in a company
(or, rather, theyd insist in a considerable discount) if it wasnt run that way. As
Alastair Sim, Director of Strategy and Marketing at SAS, points out in his Forward
to the same work [op. cit.], staying competitive involves maintaining investor
confidence. The best way to do this is to ensure the transparency of a companys
operations to investors and other stakeholders, by supplying them with
appropriate and trustworthy information (with due regard to business
confidentiality) and this is one of the main concerns of corporate governance,
along with the need to comply with applicable laws and regulations.
In the UK, the law is defined by statute; statutory instruments, which implement
Acts of Parliament and can materially affect the impact of a statute; and is further
developed in the courts by precedent so determining exactly what the law says
is not always straightforward and taking expert advice is often a good idea. We
then follow a comply or explain approach to governance. What this means is
that, for example, companies with a full London Stock Exchange listing have
to state that they comply with, for instance, the Combined Code (the consolidated
governance rules promulgated in June 1998) but can report exceptions in certain
areas, where they must explain the reasons for their departure from the rules.
1 C O N T E X T: C O R P O R AT E G O V E R N A N C E
The Combined Code [Combined Code, web] places great emphasis on the need
to manage risk, which is largely what the financial reports made available to
the various stakeholders are used for. As Peyman Mestchian, (Director, risk
management practice, SAS UK) puts it the sensible company takes risks but
not gambles. You must take a holistic and objective view of risk there is more
to worry about than just financial risk. Reputation risk, for example, is frequently
overlooked until loss of reputation starts to affect the financial bottom-line,
when it is often too late to mitigate it (a reputation that took years to build can
be lost in months). The Turnbull Report guidelines to governance for companies
quoted on the UK stock exchange talk about the risk associated with market,
credit, liquidity, technological, legal, health and safety, environmental, reputation
and business probity issues, as well as financial risk. However, some risk is good
you cant avoid risk without forgoing the business opportunities associated
with new kinds of customers, new technologies and new products. In fact, risk
avoidance is in itself risky as it limits your opportunities for profit, and doing
nothing is frequently the worst possible response to an emerging issue. What
is important is that commensurate rewards are associated with the risks that
you take, which implies that you have access to reliable information that lets
you forecast the rewards and assess the risks with confidence.
Corporate governance ultimately depends on the good functioning of the Board
of Directors and, increasingly, non-executive directors are asked to take
responsibility for deviations from good governance. Quoting Kerrie Waring,
international professional development manager at the IOD [op. cit.], A well
functioning Board is key to the performance of companies and their capacity
to attract capital. A well-established corporate governance framework should
ensure that Boards monitor managerial performance effectively to achieve an
equitable return for shareholders and uphold the values of fairness, transparency,
accountability and honesty.
You could say that the prime objective of IT governance is to help rather than
hinder the Board in its governance efforts, as part of a dynamic partnership
between business and technology. (Technologists enable business; business
rewards technologists.) In many organisations, the IT function is seen as a bit
of a loose cannon, subject to different standards, responsibilities and controls
to the rest of the organisation; and, in the long term, this isnt going to be good
for the careers of those employed by the IT function.
Corporate governance is often talked about in the context of publicly quoted
companies, because the shareholders in such companies form a wide and visible
set of stakeholders, and because stock markets underlie most economies these
days. However, similar considerations also apply to private companies, of course,

since although the stakeholders are different and the legal issues perhaps rather
simpler, the owners of the company still need access to reliable information as
to its operation.
Regulations in the USA, say, are generally more draconian these days although
even Sarbanes-Oxley seems to be less prescriptive and more in the European
style than previous US regulations. This is actually an improvement, as it is harder
to merely comply with the letter of the law if you can be assessed both on what
you consider to be appropriate internal controls and also on the effectiveness
of your implementation of these controls.
International corporate governance rules are also changing, but rules worldwide
seem to be generally moving in the same direction. Eventually, it is hoped that
the mission statement of the International Accounting Standards Board (IASB)
will come to fruition and we will have a single set of high quality, understandable
and enforceable global accounting standards that require transparent and
comparable information in general purpose financial statements.
Which brings us to Information Technology (IT), since large amounts of
information are seldom stored, processed and retrieved manually these days. Your
financial reporting is only as good as the quality of the data reported. You must
be able to audit the lifecycle of this data from collection through to destruction:
you must be able to show where it comes from, who has access to it and that
any changes are properly authorised. IT can facilitate this: there is an issue with
the transparency of IT (few businessmen are completely comfortable with code
analysis) but business policies can be rigorously enforced in unambiguous
computer code and any risk of manual error mitigated. Well, up to a point
garbage in = garbage out applies and IT systems only do what they are told to
do. This is, of course, a governance issue: the policies embodied in the automated
systems must be aligned with corporate policy, the instructions input to the IT
systems must be the right instructions, and the accuracy of the translation of these
instructions into code must be tested.
IT is also increasingly a major source of risk in companies:
IT facilitates worldwide access to internal systems, increasing the

opportunity for fraud and data theft.
The scope of impact of IT systems failure can be company-wide.
IT projects are frequently an enabler for new business; in fact, IT systems

are increasingly central to the operation of many companies.
1 C O N T E X T: C O R P O R AT E G O V E R N A N C E
Despite the importance of IT, according to the Standish Group Chaos

Reports [Standish, web], over 80% of IT projects come in late, over
budget or wrong (and frequently all three) over a quarter are cancelled
before they are fully implemented.
The Board needs to recognise the risk factors affecting IT projects: very large
projects, visible projects, projects crossing geographical or departmental
boundaries, projects using new technology projects particularly dear to the
Boards heart are all particularly risky.
IT development failures or operational failures are equally matters of corporate
governance. When Nick Leeson brought down Barings, there was a real failure
of banking governance essentially, it simply isnt good practice to allow traders
to make their own settlements. However, you can equally see this as partly an
IT governance issue:
The technology is available to enforce governance policies including

separation of function.
Positions and limits can be reported transparently to management.
The calculation of settlements can be removed from the possibility of

human error.
What technology cant do, of course, is to inculcate common sense in the Board
or counteract complacency or greed. Even so, increasingly, IT is being made
accountable for technology-driven business outcomes and a technical failure
that is allowed to affect the operation or reputation of a company is being seen
as a failure of corporate governance as, of course, it is.
The next chapter looks at the legal framework underlying governance generally
in the context of IT governance specifically.
Chapter 2
External pressures:
What regulations?
The response to apparent governance failures
Legislation affecting IT governance
General legislation with IT governance implications
Chapter 2
External pressures:
What regulations?
I think the reason that we are seeing an increase in ITIL
[say] over the last 9 months is due to Sarbanes-Oxley. They
have to look at it, its not a question of should we/shouldnt
we, they do have to look at the process issues.
THOMAS MENDEL, PRINCIPLE ANALYST, FORRESTER RESEARCH.
It is a mistake to see IT Governance as purely a response to external regulatory

pressures, as this engenders a fundamentally unsound attitude: governance
becomes seen purely as a cost, a cost of doing business, over which you have
no control.
In fact, IT governance should be seen as a way in which the Board can ensure
that IT resources are deployed and managed cost-effectively, in the pursuit of
business strategy. The ultimate aim of IT governance is better, faster, cheaper
business; that is, the assurance of business outcomes.
Nevertheless, one aspect of this is the transparency that ensures that all the
stakeholders in a business can satisfy themselves that the business is being carried
out honestly and ethically, in the interests of the business (and community) as
a whole, instead of the dysfunctional interests of particular parties. In the extreme,
IT Governance is about mitigating the risk of internal IT-assisted fraud,
probably a far greater potential disaster to a company than the high profile risk
of external hacking. The positive benefit from this transparency is that you can
demonstrate the probity and reliability of your company to third parties: business
partnerships will be easier to arrange (thus enabling greater automation of interbusiness processes or straight through processing) and raising investment capital
(from shareholders) should be easier.
Unfortunately, it must be apparent that corporate governance in general has
had a bumpy ride at the end of the last century and the beginning of this one.
The Bank of Credit and Commerce International survived conventional auditing
for years, despite being run as a criminal enterprise (a fact apparently known
2 E X T E R N A L P R E S S U R E S : W H AT R E G U L AT I O N S ?
to many inside the banking industry, where it was sometimes referred to as the
Bank of Crooks and Conmen International). It became apparent that many people
held more non-executive directorships than they could manage if they were really
overseeing the governance of the companies they held them with, and were
treating them simply as a rewarding perk; and then Enron threatened to make
the idea of corporate governance a joke.
Since a lack of confidence in the operational probity of commercial organisations
threatens the very fabric of international commerce, governments rapidly began
to investigate the issue of what proper internal control should be and then to
tighten up regulatory legislation. This generally addressed corporate governance
in the widest sense but, unavoidably, had implications for IT governance
specifically.
Fortunately, most new legislation is no longer purely prescriptive (that is, it doesnt
just specify a list of more-or-less arbitrary rules) but attempts to engender good
practice and foster organisational maturity. A company that satisfies the spirit
of Sarbanes-Oxley, for example, will be a better-managed company, able to
measure the effectiveness with which it aligns IT objectives to business
objectives, able to demonstrate the effectiveness and honesty of its financial
reporting and able to operate more cost-effectively as a result.
Even so, there is a lot of new legislation surrounding financial reporting and
internal control generally, which the IT group must be aware of. It is always going
to be more effective in the context of an evolving business and rapidly changing
technology if IT governance is built into automated systems from the start. This
means adopting a lifecycle development and maintenance process, which treats
regulatory requirements as equal in importance to the other business
requirements and implies that automated systems are tested against scenarios
derived from applicable legislation. In general, the IT group can expect business
stakeholders in an automated system to tell it what the regulatory requirements
are, but the IT analysts must question what they are told and ensure that automated
systems can satisfy non functional requirements for effective audit trails, access
controls and systems resilience, which originate in governance-promoting
legislation. In turn, this means that they must be aware of what legislation exists
and what sort of controls it mandates, at least so they can have sensible
conversations with business managers as to what is needed.
The response to apparent governance failures

There are several commissions/committees etc. that have reported on corporate
governance and which provide a background to IT governance. Broadly speaking,
these seem to have had wide influence, so that the Cadbury Report in the UK, for
example, may well influence US legislators formulating US legislation.
Committee of Sponsoring Organisations of the Treadway

Commission (COSO)
As long ago as 1985, The National Commission on Fraudulent Financial
Reporting (the Treadway Commission) was set up under joint sponsorship by
the American Institute of Certified Public Accountants (AICPA), American
Accounting Association (AAA), Financial Executives International (FEI),
Institute of Internal Auditors (IIA) and Institute of Management Accountants
(IMA, formerly the National Association of Accountants) to address the issue
of fraudulent financial reporting. It resulted in the setting up of a task force under
the auspices of the Committee of Sponsoring Organisations of the Treadway
Commission (COSO) [COSO, web], which developed a set of practical, broadly
accepted criteria for establishing internal control and then evaluating its
effectiveness. In 1992, this issued the Internal Control-Integrated Framework,
commonly called the COSO framework, which has in turn influenced other
initiatives, such as COBIT (Control Objectives for Information and related
Technology) from the IT Governance Institute. COSO was developed in the USA
but has influenced thinking on internal control and governance worldwide.
COSO describes an internal control process, run by the Board with the co-operation of an organisations management, which addresses the need for:
effective and efficient operational processes;
reliable and truthful financial reporting processes; and
compliance with all applicable laws and regulations.
Report of the Committee on the Financial Aspects of Corporate

Governance (Cadbury Report, 1992)
This began the process of formalising corporate governance in the UK and
included a code of best practice. It was extended to cover, for example, corporate
pay by the Greenbury Committee.
10
Combined Code on Corporate Governance (UK)

In 1995 a review of corporate governance in the UK started under the
chairmanship of Sir Ronald Hampel, culminating in the Final Report: Committee
on corporate governance, issued in Jan 1998. In June 1998, this resulted in the
Combined Code [CC, web], which has more or less regulated corporate
governance in the UK since, although it has been developed further (see The
Higgs Review, below).
Organisation for Economic Co-operation and Development

(OECD), Principles of Corporate Governance
These were first published in 1999 and updated following a consultation process
started in 2004, with representatives from, for example, business, trade unions
and governments. The principles assert such things as the right of investors to
nominate and elect company directors, question companies on their compensation
policy and to ask questions of the auditors. The OECD also expects Boards to
protect whistle-blowers by allowing them confidential access to someone on
the Board. The review process for the OECD Principles of corporate governance
is described at [OECD, web].
Bank for International Settlements (BIS), Enhancing Corporate

Governance in Banking Organisations
The Bank for International Settlements (BIS) is an international organisation that
fosters international monetary and financial cooperation and serves as a bank
for central banks. The head office is in Basel, Switzerland and it has representative
offices in the Hong Kong Special Administrative Region of the Peoples
Republic of China and in Mexico City. It was established in 1930 and is the worlds
oldest international financial organisation. The BIS report, Enhancing corporate
governance in Banking Organisations (1999) [BIS, web], is a useful summary
of the principles of corporate governance in 1999, referencing the Basel
Committee etc. The BIS site is generally a useful source of information on banking
governance.
Internal Control: Guidance for Directors on the

Combined Code (Turnbull Report)
The Turnbull Report was issued in 1999 and adopting its recommendations
[Turnbull, Web] is mandatory for companies quoted on the UK Stock Exchange,
but the recommendations are far from prescriptive, although companies will
11
find them sufficiently challenging. They call for Audit Committees to adopt a
broader role in corporate governance and reiterate that the Board should maintain
an effective internal control regime. This implies accuracy and transparency in
the IT reporting systems that must be a foundation of any such effort.
The Financial Reporting Council reviewed Turnbull in July 2004, which affects
accounting periods starting on or after 2006. This review found that the Turnbull
guidance still generally achieves its intended effect, in the light of UK and
international experience since 1999 although there are questions as to how far
it has succeeded in promoting the actual embedding of governance in business
processes. The Turnbull Review Group made only a small number of changes
to the Turnbull Guidance, one being that the boards statement on internal control
should confirm that necessary actions have been, or are being, taken to remedy
any significant failings or weaknesses in internal control. Turnbull at present is
concerned with the spirit of corporate governance and isnt very prescriptive;
it remains to be seen whether it becomes more prescriptive over time, along
the lines of Sarbanes-Oxley (which is more prescriptive and longer than Turnbull,
although less purely prescriptive than is usual with US regulations). The UK
Auditing Practices Board revises its bulletins on The Combined Code on corporate
governance: Requirements of Auditors under the Listing Rules of the Financial
Services Authority [APB, web] in the light of any changes to Turnbull; Bulletin
2004/3 was replaced with Bulletin 2006/5 in September 2006, and part of this is
superseded by Bulletin 2009.4, Developments in Corporate Governance
Affecting the Responsibilities of Auditors of UK Companies, issued in December
2009 (see the list of Bulletins at [APB, web], for example).
IT Governance Institute, Control Objectives for

Information and Related Technology
The Control Objectives for Information and related Technology (COBIT) is an
important framework developed by the IT Governance Institute in the context
of COSO and is built on the premise that the role of IT is to deliver the information
that an organisation needs in order to meet its objectives. IT Governance is then
the process that ensures that it satisfies this role adequately. A useful introduction
and overview of COBIT is contained in the Board Briefing on IT Governance,
from the IT Governance Institute [BoardBrief, web].
The Higgs review

Derek Higgs was commissioned by the DTI to review the role and effectiveness
of non-executive directors in the implementation of good corporate governance.
12
He reported in 2003 with a set of suggested changes to the Combined Code,

which was republished accordingly in that year.
The Combined Code is now under the auspices of the Financial Reporting Council
(FRC) and further changes can be expected as and when needed to ensure that
it remains relevant in the face of changing business conditions and technologies.
Legislation affecting IT governance

Legislation affects IT governance and it is important to actually read the legislation,
as well as any guidance notes or press releases. Many vendors seek to generate
sales from high profile legislation, and only by referring to the legislation itself
will you discover that there may be, for example, exceptions for smaller companies
or wider issues that make a vendors silver bullet solution unlikely to be effective.
For example, SOX kits are available which promise to deliver Sarbanes-Oxley
compliance but in the absence of an active and well-understood process
framework it is unlikely that these will deliver more than compliance with the
letter of the law on the day that they are delivered. Since directors are supposed
to revisit internal controls whenever anything which might affect them changes,
it is likely that any silver bullet will prove to be expensive in the longer term,
may well prove not to deliver the compliance with the spirit of the law that
regulators expect and wont deliver the organisational benefits possible from
a holistic approach.
Of course if you put in place the frameworks, processes and organisational
maturity necessary to comply with the spirit of Sarbanes-Oxley, say, you may
find a silver bullet technology that meets your needs but it is then hardly just
a silver bullet.
The main act affecting companies in the United Kingdom is the Companies Act
2006. This is the longest Act of Parliament ever enacted in the United Kingdom
(305,397 words) and it is supported by numerous regulations having the force
of law. In effect, it establishes an equivalent to the US Sarbanes-Oxley Act (see
below) in the UK. It is less prescriptive and detailed than SOX (UK companies
(unless registered on the US stock exchange or subsidiaries of US companies
etc) should concern themselves with the Companies Act before getting paranoid
about SOX), although the devil is in the detail of how the regulators and law courts
interpret the Act. The Companies Act 2006 affects (or is capable of affecting) IT
governance in many ways, but the following should perhaps be particularly noted:
13
Statutory registers
Each company is required to maintain and update as necessary a register of
members and certain other statutory registers.
Accounting records
A company must keep adequate accounting records sufficient to show and explain
the companys transactions, to disclose with reasonable adequacy the financial
position of the company at any time and to enable the directors to prepare accounts
in accordance with the Act (s. 386).
Statutory accounts
Directors are required to use the accounting records to produce statutory accounts
that fulfil the legal requirements, and to prepare a directors report (and in some
cases other reports) that give prescribed information. These must be signed to
indicate that the directors accept responsibility. If an audit is compulsory or if
an audit has been commissioned even though it is not compulsory, the accounts
are then audited and the auditor will sign the audit report. In all cases, signed
accounts must be sent to every company member and to Companies House.
Obviously, IT systems must provide accurate information for these purposes.
Auditors rights
Auditors have a right of access at all times to the books, accounts and vouchers
of the company. They also have the right to require from directors, other officers,
employees and certain other persons such information and explanation as they
think necessary for the performance of their duties. Any person who, in making
any statement (orally or in writing) that purports to convey information or
explanations to the auditors in the course of their audit, knowingly or recklessly
makes such a statement that is misleading, false or deceptive in a material particular,
commits an offence punishable by a fine or imprisonment for up to two years
(or both). Failure to provide requisite information or explanations is also
punishable, unless the person concerned can prove that it was not reasonably
practicable to provide them (s. 501).
Company management, and its directors in particular, should think in advance
about the sort of information the auditors might need and ensure that systems
are designed to provide it (or can be easily modified to provide it) as and when
required. This policy then forms a non-functional requirement for systems
14
development in general which developers must be made aware of. Similarly,

the provision of robust audit trails for financial information becomes a general
non-functional requirement.
Further, the only practical way you can be sure that your policies concerning
the provision of audited financial information have actually been adopted in the
automated systems that you use, is to implement recognised industry best
practice processes for the development of automated systems and the
operational management of the infrastructure that they run on such as the
Dynamic Systems Development Method [DSDM, web] and the IT Infrastructure
Library [ITIL, web] procedures. Beyond even this, a company might find that
process improvement (the ability to say what you are going to do, measure what
you actually do and apply changes to the process that reduce any gap between
aspiration and achievement) helps it to address regulatory criticisms in a costeffective way and to cope with changing circumstances. One recognised
process improvement regime for IT organisations is CMMI (Capability Maturity
Model Integration) from the Software Engineering Institute [CMMI, Web].
Statement in the directors report

The directors report must contain a statement from each of the company directors
at the relevant time, to the effect that there is no relevant audit information of
which the auditors are unaware (as far as the director knows), and that he or
she has taken all appropriate steps to make him or herself aware of such
information and to bring it to the attention of the auditors.
Directors duty to exercise reasonable care, skill and diligence

The Companies Act lists a number of directors general duties, including a duty
to exercise reasonable care, skill and diligence. The remedy for a claimed failure
in this regard is a civil action by the company against directors believed to be
at fault.
A director must exercise the degree of care, skill and diligence that would be
exercised by a reasonably diligent person with:
the general knowledge, skill and experience that may reasonably be

expected of a person carrying out the same functions as the director
in relation to the company and
the general knowledge, skill and experience that the director actually
has.
15
The director must meet the higher of the two requirements and it is interesting
to note that this duty follows the duty set out in Section 214 of the Insolvency
Act 1986.
As a practical example, it means that a non-executive director who is a wellqualified and experienced solicitor must bring the care, skill and diligence expected
of such a person to a very small private company that operates a fish and chip
shop. On the other hand an unqualified and inexperienced director of a major
public company must meet the standard expected of a director of that type in
a company of that type.
It is relatively easy to set out the required standard, but it must of course be
translated into a myriad of individual circumstances, which may not be easy in
practice. Judges have in the past (especially in the distant past) taken a very relaxed
view about the standards expected, but the requirements have grown more
demanding over the years, and especially in recent years.
Directors are not expected to be experts in everything, which is an obvious
impossibility. They are expected to use common sense, give a reasonable amount
of time and effort to the company and to make suitable enquiries when necessary.
They are expected to do what may reasonably be expected of a director of that
type in a company of that type, and if they have particular skill, knowledge or
training, they are expected to use it. This means, for example, that if a director
is the Chief Technical Officer and a skilled programmer, he or she would have
some responsibility for poor IT systems that do not implement company policy
or which permit fraudulent practices.
Sarbanes-Oxley Act (USA)

Sarbanes-Oxley (SOX, [SOX, Web]) is US legislation but it is very high profile.
Mark Mitchell of Informatica has met UK companies that are not subsidiaries
of US companies or listed on US stock exchanges, that claim to have a strategy
involving Sarbanes-Oxley compliance. This is usually revisited when he points
out the likely cost of this (although there are reasons for pre-emptive compliance:
the prospect of takeover by a US company, perhaps). Effective IT governance
is a worthwhile goal but compliance with any regulations that dont specifically
apply to you, without a clear business reason, is very unlikely to be cost effective.
Nevertheless, SOX does affect many UK companies. In the Netegrity Security
and Compliance Survey [op. cit.], however, only 15% of respondents thought
that it was important. It seems rather unlikely that 85% of UK companies are
neither listed on the NY Stock Exchange nor NASDAQ; nor are offshoots of US
16
companies; nor doing significant business with US companies (in which case
theyll need to supply the information their partner needs to satisfy SOX); nor
likely to be taken over by, nor merge with, a US company.
Generally, SOX involves implementing an internal control framework such as
COSO (see above) and only a recognised control framework that is established
by a body or group that has followed due process procedures, including the
broad distribution of the framework for public comment, will be accepted.
The essence of SOX compliance seems to be that you build a rod for your own
back. You must develop a defensible approach to internal control for your business
(and this can be criticised), and then you devise a defensible approach to internal
control for your systems and then you must demonstrate that you are adhering
to your own rules. In other words, its not simply a case of adhering to the rules,
theres an effectiveness measure too (and this is more along the lines of European
regulatory practice).
The impact on IT is that it must facilitate this process, by building into its systems
and processes facilities that provide the information needed by SOX, the audit
trails needed to assure the integrity of this information, and so on. The IT Group
must also be aware of Silver Bullet solutions: cosmetic quick fixes for
compliance, that are a constant maintenance overhead when the business changes
[Faegre, web].
The two sections with most impact on IT are 302 and 404(a), which deal with
the internal controls that should be in place to ensure the integrity of a companys
financial reporting and this will impact directly on the software that controls,
transmits and calculates the data used to build the companys financial reports.
SOX SECTION 302
Since August 29, 2002, Section 302 has made CEOs and CFOs commit to the
accuracy of their companys quarterly and annual reports. They must state:
1.
That they have viewed the report.
2.
That to the best of their knowledge, the report contains no untrue

statement of a material fact and does not omit any material fact that
would cause any statements to be misleading.
3.
That to the best of their knowledge, the financial statements and other
financial information in the report fairly present, in all material aspects,
the companys financial position, results of operations and cash flows.
17
4.
That they accept responsibility for establishing and maintaining

disclosure controls and procedures, and the report contains an
evaluation of the effectiveness of these measures.
5.
That any major deficiencies or material weaknesses in controls, and

any control-related fraud, have been disclosed to the audit committee
and external auditor.
6.
That the report discloses significant changes affecting internal controls

that have occurred since the last report, and whether corrective actions
have been taken.
There are serious civil and criminal penalties for making untrue statements in
the areas above, so C-level executives are placing considerable trust in the integrity
of their IT systems and the people developing and supporting them. Which means
that they will start taking an interest in the IT process and that this will likely
become seen as an area C-level executives worldwide should be interested in
even if SOX isnt involved.
SECTION 404(A)
If Section 302 might have onerous implications for executives, Section 404 sets
out the rules in detail (and you should check the Securities Exchange Commission
(SEC) website [SECSOX, web] for the latest details and implementation dates).
In September 2003 the SEC said, We recognise that our definition of the term
internal control over financial reporting reflected in the final rules encompasses
the subset of internal controls addressed in the COSO Report that pertains to
financial reporting objectives.
The SEC expects to see an Internal Control report in a companys annual report
that:
states that company management is responsible for establishing and

maintaining adequate internal control over financial reporting for the
company;
identifies the framework against which the effectiveness of this

internal control is assessed by management;
assesses the actual effectiveness of a companys internal controls in

practice; at the latest financial year-end; and
states that the company auditor has checked out the managements
assessment of its internal controls.
18
Not surprisingly, perhaps, in view of its general findings, the Netegrity Security
and Compliance Report [op. cit.] found that about a third of those that thought
SOX was important (only 15% of the total, remember) werent spending any
money on technology to facilitate compliance with Section 404; and a further
third were spending less than 50,000. In the light of this, it will also be no surprise
that almost 90% of them either werent sure that theyd manage to get their
internal controls accredited against SOX, or thought it not likely. Leaving aside
the question of penalties, is it possible that prospective partners in, investors
in, or purchasers of a business, might think a business that couldnt satisfy SOX
Section 404 represented an increased risk over investing in, say, a more compliant
organisation? One would certainly think so.
The 8th EU Statutory Audit Directive

The EU Statutory Audit Directive (revised from the 8th Company Law directive)
is the European equivalent to Sarbanes-Oxley [8thDirCons, web] and has been
progressively implemented since 2006; the position early in 2010 (see the
Scoreboard on the transposition of the Statutory Audit Directive (2006/43/EC)
published by the EC [EUAuditDir, web]) was that the vast majority of EU member
states had incorporated the Directive in their law. In the UK, it is implemented
through the Companies Act 2006, as amended by the Statutory Auditors and
Third Country Auditors Regulations 2007 (SI 2008/3494) etc.
The UK regulators are generally interested in balancing principles and detailed
rules (presumably this reflects UK concern with the spirit rather than the letter
of company law) and the principles of subsidiarity and proportionality.
The UK ICAEW, for example, is liaising with UK Government, the European
Commission and other stakeholders on the implementation of this Directive in
the UK [see ICAEW, web]. James S Turley, Chairman and CEO, Ernst and Young,
sees this Directive as a welcome step towards global corporate governance
standards. It certainly underlines the global nature of commerce today and hence
the need for global regulation.
Basel II and the EUs CRD

The Basel Committee on Banking Supervision issued a revised framework for
capital adequacy (credit risk management) generally known as the Basel II (or
Basel 2) accord in June 2004. This came into full effect in 2007. In July 2004, the
European Commission published a Capital Requirements Directive (CRD) to bring
Basel II into European Union (EU) law.
19
Basel II had a significant impact on banking processes and the IT systems that
implement and support them largely in the area of credit risk profiling and
monitoring. The UK FSA issued a consultative paper Strengthening capital
standards in January 2005 (consultation closed at the end of April 2005), putting
forward the options for implementing CRD in the UK.
Basel II is of great importance to banks, but probably wont affect companies
in general very much. However, for financial institutions, Basel II has some quite
subtle implications. Especially as some financial observers think that banking
is all about the serious business of trying to evade the spirit if not the letter of
the new accord, without being ambushed by the small print. Risk management
is not particularly deterministic and the new rules may simply mean that risk
is transferred to less (or differently) regulated subsidiaries. This could certainly
result in some challenges for the IT group a need for rapid changes to financial
systems as risk arbitrage opportunities arise and disappear. This will be an
environment not especially friendly to IT governance (higher levels of
capability/maturity may not be particularly appropriate, for example) but business
needs must rule and IT risk must still be managed (look what happened to Barings
when controls were relaxed for a new business environment and a dealer was
able to make his own settlements).
As predicted in the first edition of this report, issues with Basel II in practice
resulted in development of what is generally being called Basel III, which the
G20 is talking about finalising in 2011 and implementing in 2012.
This is undoubtedly being driven by the near collapse of the banking system in
recent years and is likely to attempt to regulate definitions of tier 1 capital (which
constitutes the most commonly cited financial strength metric for a bank) and
necessary capital buffers, allowable leverage ratios, measures to limit counterparty
credit risk and short/medium term liquidity ratios.
However, some banks are resisting more regulation as it might impede their ability
to function (although some might see that as no bad thing) and in Sept 2010, the
FT reported German banks try to fend off Basel III [FT, Web]. The implication
for IT organisations in the Financial Services and Banking industry is that the
regulations that their systems will have to enforce (and the degree to which they
will be enforced in practice) are by no means defined yet. This is a lesson for IT
generally: automated systems must be defined so as to support whatever
regulations are in force (this is a definite requirement to analyse even if a systems
sponsors sometimes forget to mention this) but they must be particularly flexible
agile in this area as regulations are never set in stone and can move rapidly up
senior managements agenda in response to particular crises or scandals.
20
General legislation with IT governance

implications
A great deal of legislation has implications for the design and implementation
of IT systems and always remember that IT isnt a special case. The Internet,
for example, is often thought of as unregulated, because much legislation was
formulated before the Internet came along or without any particular reference
to it. In truth, however, it is over-regulated, since existing legislation usually applies
to it anyway, whether appropriate or not. Of course, some of this legislation
would be very hard to enforce, but inappropriate legislation that is only erratically
or arbitrarily enforced is hardly a sound basis for electronic or computersupported commerce.
One of the objectives of corporate governance in the COSO framework is compliance with all applicable laws and regulations. In the IT world, this means that
you must address, at least (the list isnt exhaustive):
The Freedom of Information Act (UK) [FI, web] or the equivalent in

other countries. This does only apply to government services, but it
will affect the design of information storage and retrieval systems for
such services (not only must information be retrievable but the
performance impact of this must be considered).
Data Protection regulations; for example, the Data Protection Act (UK)
[DPA, web] and legislation throughout Europe enforcing the EU Data
Protection Directive. Not only must you protect personal information,
which you can only collect and use for specified purposes, you must
destroy it securely when it is no longer needed and provide facilities
for the subjects of personal data to access and correct it. A particular
issue for many global automated systems that may start to rely on Cloud
Computing technology, where the location of data at any particular
time is not well defined, is that you are probably in breach of EU data
protection regulations if data is stored or transmitted outside of EU
borders.
Intellectual Property (IP) protection; for example, the UK Copyright,

Designs and Patents Act and others [CopyRight Act, web]. In many cases,
the most valuable property in a company is its IP and it is particularly
hard to manage technology IP, because a lot of it is still in peoples heads.
An important related issue these days is software licensing. Unlicensed
software may have been hacked crudely and made unreliable, or even
insecure, although it is hard to see that this makes it much worse than
21
some legitimate products. However, it is illegal and the activities of

organisations such as the Business Software Alliance [BSA, web] or
FAST (the Federation Against Software Theft) [FAST, web]) makes even
unintentional use of unlicensed software unacceptably risky. In January
2004, The Federation reinforced its use of criminal proceedings to crack
down on the misuse of software under s.109 of the Copyright, Designs
and Patent Act 1988. Companies have been prosecuted even while in
the process of addressing their licensing issues, and the interruption
to business (from confiscated computers etc.) and loss of reputation,
may be a bigger problem than the fine.
Health services and pharmaceutical regulations such as, for example,

the US Health Insurance Portability and Accountability Act of 1996
[HIPAA, web], and various pharmaceutical industry regulations
worldwide. The pharmaceutical industry is particularly highly regulated.
Telecommunications regulations such as the Regulation of Investigatory

Powers Act (RIPA) [RIPA, web]. This impacts the interception of
electronic communications and the use of encryption technology.
The Health and Safety at Work Act in the UK [HAS, web]. This applies
to workers in IT just as much as anywhere else. It isnt perhaps an IT
governance issue, exactly, but it is important to remember that IT
workers are not exempt from Health and Safety issues and some of
these (the impact of computer monitors on eyesight and Repetitive
Strain Injury (RSI) from keyboard use, for example) are particularly
related to computer use.
The WEEE Recycling Directive [WEEE, web]. This probably wont

impact end-users of IT much, but it may impact Operations, as most
electronic equipment must now be recycled when it is disposed of
(luckily, the vendor probably has to arrange this).
The Disability Act, 1995 [Disability, web]. Again, like Health and Safety,
IT organisations are not exempt. In particularly, web sites must be
designed to facilitate access by the differently abled. The key standard
in this area is probably the Web Content Accessibility Guidelines 1.0
(1999; work continues on these and a Working Draft 2.0 was produced
in 2003), created by the Web Accessibility Initiative of the W3C [WCAG,
web].
Anti-Money Laundering legislation, which (in the UK) is embodied in

several pieces of primary legislation: the Criminal Justice Act 1988
22
(as amended), the Drug Trafficking Act 1994 and the Terrorism Act
2000 (as amended). This largely, although not exclusively, affects banking
and financial organisations, which must make Suspicious Transaction
Reports (STRs), if money laundering is suspected, to either the law
enforcement authorities or to the relevant Money Laundering
Reporting Officer (MLRO).
Obviously, automated financial processing systems may have to recognise suspicious transactions and this may impact IT systems design;
there is also a possibility that STR processing may appear to conflict
with the requirements of the Data Protection Act (since tipping off
the subject of an STR is illegal) and this may also have an impact on IT
systems design or operation [STR-DPA, web]. Anti-Money Laundering
legislation introduces its own risks too what should a bank do if it
finds that its best and most profitable customers are probably money
launderers but it cant really afford to lose their business?
Publications such as Gees IT Policies and Procedures [ITPP, 2004] attempt to
guide subscribers on the current state of such legislation and are regularly
updated, but you should always take professional advice as to the exact implications of legislation, if it affects you specifically. It is perhaps not directly a part
of IT Governance per se but it is sometimes worth remembering that its a very
good idea to avoid expensive court cases wherever possible (investigate alternative dispute resolution) and, in particular, to avoid becoming a test case for
new regulations. It is indeed possible that regulatory compliance may be implemented in the software driving the business but be very careful about this.
Ultimately, the effect of regulatory law and its associated enabling legislation
is what a court decides it is, not what seems reasonable to technically competent lay-readers of legal material. Even an expert legal opinion is not binding
on a future court.
In the next chapter we look at the impact of IT governance on the organisation
in general.
23
Chapter 3
Organisational impact
Culture
Organisational maturity
Roles and responsibilities
Practical experience of governance
Chapter 3
Organisational impact
Culture
Good IT governance doesnt exist in a vacuum. However experienced your IT
staff are, and however good the practices they follow, you dont have good IT
governance unless these practices are institutionalised as part of a formal process
that is regularly assessed and updated in the light of changes to the business
or technology.
If you just do it right, because thats how we do things, even if you are successful,
how will you convince the auditors or regulators that you werent successful
purely through luck and that you will continue to do things right? Well, youll
have to conduct a review for them (or give them access to conduct their own
review) that lets them discover all your critical processes and determine that
they are properly controlled. This will be expensive, especially if you delegate
it to an external party and youll have to do it all over again if the business,
the technology or even the interested party changes. This is not an efficient use
of resources and you can hardly claim to have implemented good governance
if it is based on such an ad-hoc set of processes. Especially if you also consider
the fact that time and resource pressures applied to a process that, essentially,
repeats the same redundant evaluations repeatedly, will result in omissions and
superficial assessments.
An organisation that wants to implement good IT governance must have a
supportive culture behind this. This means a culture that institutionalises good
practice processes in pursuit of clearly defined organisational goals, and
encourages buy-in to these goals at all levels.
However, you can imagine a company that employs the best (or most expensive)
people taking the view that what kept programmers from reaching their full
potentials were managers who tried to impose standards, expectations or
restrictions (quoting from Larry Constantines description of the state of affairs
at the fictional Nanomush, in Constantine on Peopleware [Constantine, 1995]).
Such companies are fairly common in the software industry and they usually
26
3 O R G A N I S AT I O N A L I M PA C T
enforce any regulatory rules with draconian disciplinary procedures, once they
have been bought to their attention. So, if youre caught using someone elses
intellectual property in your IT systems, unlicensed, or you find fraudsters using
a back door into your systems put there so that programmers could fix bugs
faster, do you simply sack the person responsible for that bit of the system (if
they are still working for you) and hope that the issue goes away? Of course, it
doesnt the lawyers carry on seeking damages or whatever; youve lost the
free spirits who built your code without wasting time on documenting what they
did and the rest of your staff think youre victimising the unfortunate sacked
programmers, who were only doing what their culture expected anyway.
In this situation, you then start worrying about what other surprises await you,
because if leaving programmers free to do their own thing has given you one
problem, you have no means of assuring yourself that others havent taken similar
risks. Typically, after one bad experience, you start mandating compliance with
some source of best practice, telling your programmers to get it right or else
which, since you are trying to change their culture, probably wont go down
very well (you may lose the best of them and keep the dead wood that cant
easily get a job elsewhere). Youll find that you cant just mandate compliance
with anything outside of a military organisation and, in fact, military
management practices are usually fairly enlightened because even under military
discipline the people at the sharp end can work around your mandates (and
also because, possibly, battlefield soldiers have the ultimate sanction available
against bad managers).
Unless you are the sort of company that sets goals before taking action, that
measures the impact of its actions relative to those goals and then changes what
it is doing to reduce the gap between its aspirations and what it actually achieves,
then attempts to achieve good IT governance are probably doomed to failure.
This culture of measurement and continuous process improvement is largely
what is meant by organisational maturity although in our ageist society,
companies often prefer to aspire to being adaptive rather than mature.
Organisational maturity
As Constantine points out [op. cit.], Maturity is a central issue for the field of
software development. Methodologists are wondering how long it will take for
software engineering to mature as a discipline, managers are concerned about
the level of process maturity in the approaches to development used within
27
their organisations, and project leaders wonder about the maturity of the
individuals whom they are called upon to lead. But its a concern in many more
fields than just software development. Firefighting system failures may be fun
and, in some organisations, you may be rewarded for the loyalty and dedication
firefighting at 03:00 am demonstrates even if youre responsible for the problem
youre fighting (you probably delivered really fast and got rewarded for that too).
However, most business users would prefer you to take a more mature
approach and not put the problem there in the first place (or, at least, observe
its appearance and preemptively nip it in the bud).
This concern for maturity is really driven by a desire for a quiet life, without
surprises and embarrassments. Allegedly, the Software Engineering Institute
at Carnegie Mellon started looking at capability and maturity in IT software
development because someone at a party to celebrate the first moon landing
noticed that we could put a man on the moon but couldnt build software that
worked reliably. It started to develop a Capability Maturity Model for Software
that an organisation could use as a target to assess the maturity of its software
delivery processes against. It then found that there was a need for other process
maturity models and, to avoid the management issues of multiple assessments,
came up with the Capability Maturity Model Integration (or Integrated, in older
references) CMMI.
CMMI is proving popular, both as a way of an organisation internally
benchmarking its own ability to deliver and, perhaps unfortunately, as a marketing
tool for organisations striving to distinguish themselves in a competitive
marketplace. However, you dont have to have CMMI in order to be a mature
organisation, its just a good framework to work within (and you do really need
an external benchmark to manage your progress against). Passing a CMMI
appraisal (actually, theres no pass in the certification sense, you just get
appraised) doesnt guarantee good governance it may simply show that your
lack of governance is deliberate and that your management should be aware
of this (which is, actually, a good start). However, mostly, what you measure (and
this does apply to process) you try to do well.
CMMI
We must stress that we are not really discussing formal CMMI process
improvement initiatives here theyre a whole different topic and deserve a report
in themselves. However, we are using CMMI as a framework within which to
talk about the maturity necessary for good IT governance. It is a convenient way
to categorise the levels of maturity in an IT organisation, but we must apologise
28
to serious CMMI practitioners for taking a rather superficial view of the subject.
You should also remember that although CMMI deals with more than just
software development, it doesnt cover every aspect of an organisation, even if
its levels could provide a convenient shorthand for describing maturity in areas
where CMMI proper doesnt apply. For those seeking more information, refer
to the CMMI, web address in Resources Appendix [CMMI, web].
CMMI is commonly seen as a five-stage process, with organisations progressing
through the stages in turn, although there is also a continuous representation,
which allows an organisation to be at a different capability level in different process
areas at the same time (and CMMI experts often find this a more productive
way to look at real organisations). The staged representation is easier to follow
as a basis for discussion of maturity. The stages are:
5
The institutionalisation of continuous process improvement through

proactive process measurement.
The use of quantitative process metrics, at the organisational level, to

manage and improve the process.
The availability of managed process at an organisational level.
The availability of managed process, at a project level.
The adhoc application of process.
Level 1 doesnt mean that you have no process or that projects always fail or
that nothing good happens a common misconception. However, at Level 1 any
successes cant be guaranteed they may depend on particular people or circumstances and a way of working in one project that delivers success may be
abandoned or, at least, not used somewhere else, simply because management
doesnt recognise what it has. It is hard to see how you can claim any great degree
of IT Governance at the equivalent of CMMI Level 1.
Going from Level 1 to Level 2 can be quite onerous, because it involves recognising
and documenting what you have and that often brings you up against the usual
people issues as your IT mavens may feel that documenting what they do and
sharing it with others diminishes their value in the organisation. At Level 2, you
are starting to have a degree of IT Governance and, remember, that we are
only using the CMMI Levels as a framework for describing maturity levels. You
may effectively be at something corresponding to CMMI Level 2 as far as IT
Governance is concerned, even if you arent formally implementing a CMMI
initiative and havent undergone CMMI assessment (just dont claim to be at
CMMI Level 2 unless you do undergo proper appraisal, undergo regular reappraisals and publish the appraisal class A, B or C and its scope).
29
CMMI Level 3 is probably as far as you absolutely need to go for IT Governance

which is not to say that going further doesnt bring advantages and even better
governance. However, at Level 3, you not only know what you have and know
what you are doing with it, you are managing your IT resource at an
organisational level and making basic measurements of the effectiveness of your
management, which you can use to improve it.
At what corresponds to Capability/Maturity Level 3, which includes Level 2, you
should have, at least:
Asset management in place, including management of information,

infrastructure and application assets.
An organisation-wide security policy, based on risk management and

effective identity management.
Implemented a business continuity policy; complemented with service

level management; incident, service impact and problem management;
and effective capacity planning and provisioning.
Effective configuration management in place.
Information lifecycle management in place, ensuring that electronic

business records are kept safely for as long as necessary and then
disposed of reliably and securely.
Managed processes for application lifecycle and operational

management.
It should be noted that CMMI is itself developing, partly to address gaming

of appraisals by company marketing departments (which is why the scope of
an appraisal should be available and why appraisals have a limited period of
validity). Interesting developments are new CMMI constellations, CMMI-SVC
for developing services rather than software and CMMI-ACQ for companies
acquiring automation rather than developing it. There is also the issue that
maturity and good process isnt an end in itself but a means for delivering business
outcomes and an organisation which is generally of high maturity may fail to
deliver because just one key part of the organisation is at a low maturity level
and fails to control risk.
Process-driven development and operations are fundamental to what we think
of as IT governance and will be treated in more detail in the next chapter. A
typical but vendor-independent development process is the Dynamic Systems
Development Method [DSDM, web] and a widely accepted infrastructure/
operations management process is documented in ITIL, originally sponsored
by a UK Government computing organisation [ITIL, web].
30
Higher levels of maturity will fundamentally alter the nature of an organisation

the comparison is with the way that lean engineering revolutionised the Japanese
car industry and enabled it to compete with and displace the traditional US motor
industry in world markets. However, higher levels of maturity may not suit some
organisations or, in particular, emerging industries and technologies, where things
may be changing too fast for a stable process to be feasible (although if you are
implementing CMMI properly and fully understand its concepts, we suspect that
there is room for argument here). Whatever, it is probably true that you cant
properly appreciate the benefits, and the consequences or implications, of higher
maturity levels until you are at Level 2 or 3.
At the equivalent of Level 4, you become a metrics-focused organisation,
managing quantitatively through metrics which doesnt mean that you dont
measure capability and improvement, where you can, at lower levels. You dont
just measure what is easy to measure, you potentially measure everything, on
the grounds that you cant manage what you cant measure. There is an overhead
associated with this measurement activity, however, so you will concentrate, in
practice, on a few carefully-chosen key performance metrics (which may be
derived from several low-level metrics) and measurement automation is vital
(you really need to build the necessary instrumentation into the design of your
systems rather than try to bolt it on afterwards). As technology improves, business
analytics and optimisation technology [BloorAnalytics, Web] can build good
governance into the framework of automated business systems. With the benefit
of the metrics you collect, you can focus on areas for improvement and confirm
that your improvements are, in fact, working.
At the equivalent of Level 5, you are into continuous process improvement and
the occult powers of warrior-monks in Chinese martial arts movies start to seem
normal. Your metrics become predictive and you start to improve processes in
anticipation of emerging problems. At this level, IT Governance is so innate that
you probably dont even need to think about it but there arent many true Level
5 organisations in the world and many that have been assessed at CMMI Level
5 have only done so with a limited scope.
The point of this section is not to say that you must gain CMMI Assessment at
Level 3 in order to implement good IT governance but that you must have a certain
level of maturity across the whole organisation in order to implement IT
governance effectively. And CMMI Level 3 gives you some idea of the minimum
maturity level you will need in practice. If you implement IT governance at lower
maturity levels you will be lucky if it achieves what you hope it will. You will
likely end up with islands of good governance and may find that embarrassing
31
areas arent covered. You will be unable to reliably measure either the
effectiveness or the overheads of your governance initiatives, and you will be
unable to manage the overall alignment of your IT Governance efforts with the
requirements of corporate governance as a whole.
Roles and responsibilities

One of the key issues in IT governance is the assignment of roles and
responsibilities. The IT optimisation company, Mercury Interactive, an industry
leader in application delivery, application management and IT governance (and
now part of HPs Business Technology Optimisation practice), once commissioned
a survey (back when it was still called application delivery testing) which showed
that the management in many companies assumed that IT tested its customised
package solutions; whilst the IT Group assumed that the management wanted
rapid delivery of its new business functionality and had verified its purchase
during selection. The vendor, of course, claimed that its package worked perfectly,
until it was customised by its customers IT Group. The net result, which is all
too believable to anyone who has worked in a big corporation, is that much of
the business functionality in the customisation was never properly tested an
obvious failure in IT governance.
Assignment and recognition of the roles and responsibilities affecting IT
governance is definitely a cultural issue and will depend on tradition and company
size as well as on the company culture and attitude to technology (a high tech
company employing highly trained engineers might give users greater
responsibility than a company operating a call centre could) but it is always
essential that responsibilities are assigned clearly and accepted. At the highest
level, this can be done during staff induction and in job statements, backed up
by training.
Generally, the IT Group will be responsible for systems development and
technology implementation and probably, these days for acquiring, orchestrating and customising business technology services. It will probably be
responsible for implementing IT governance at the sharp end, because it is usually
a very bad idea to bolt governance onto a system at the very least, performance problems are likely; but there is also a significant risk that the governance
solution will break the logic of the system and an expensive rewrite of much of
it will be necessary. Although not exactly typical, the problems Microsoft is having
as it tries to implement security in its operating system (starting with stopping
32
all productive development for a reasonably long period and continuing with
critical service packs that break existing, but insecure, working, applications)
give some idea of the issues with this approach. However, although it must be
involved, the IT group is not best placed to design and enforce governance for
three main reasons:
1.
IT people are technology focused, and many governance issues are

at least partly to do with people and should focus on delivering business
outcomes.
2.
IT people are innovation-oriented, and frequently tried and tested is

best for good governance.
3.
IT people are rewarded for delivery, which may conflict with the need
to get governance right.
The IT Group can well supply some of the requirements for IT governance, in
the areas of business continuity and configuration management, for example,
but there is a risk that its view of Governance will only reflect the technical issues.
Being able to restore a working and up-to-date version of a database in the event
of a contingency is very much a part of IT governance but it is not sufficient,
as if the people using the database cant log into it, or dont have desks to sit at
or phones on which to call their customers, then the success of the IT governance of the database wont matter much in the context of overall business
continuity.
On the other hand, even though business users are ultimately the stakeholders
and paymasters for IT governance, they dont have the technical expertise needed
to specify IT governance at the technical level. The business users may well be
the source of the specifications for IT governance embodied in or implied by
the legislatory or regulatory environment, but, again, they are likely to specify
only part of the solution.
It is quite common to think that a conventional Audit Group will look after IT
Governance but, in reality, it is almost the worst choice of all for this function.
Auditors often specialise (although this is changing) in after-the-fact criticism
(which is too late, impacts on delivery and is expensive to address), dont generally
have the up-to-date technical knowledge to control technologists and dont have
the culture to become part of the development team. We once remember noticing
that the information archiving in a bank was rather out of control everything
was copied to tape, often several times after a series of changes and, while
everything was in an archive, these were growing uncontrollably and it was
doubtful whether the bank could answer ad-hoc enquires from archives with any
33
confidence. So we asked the auditors what the archive requirements were and
they wouldnt budge from saying archive everything forever, which was hardly
very helpful. However, the auditors may well be the ultimate backstop, the people
who confirm that you have, in fact, addressed the letter of the laws and regulations.
Nevertheless, its really too expensive to find out that you havent at this stage.
One solution to IT governance is setting up an Internal Control Group,
reporting to the Board separately, probably through a Governance Committee.
The responsibility of such a group is to take a holistic view of governance,
reporting at a business service level. However, it is also responsible for
assisting or mentoring developers and IT operations staff and should be both
technically and socially able to relate to the IT Group in an early stage of its
projects. The Internal Control Group is responsible for championing the
governance point of view in IT, but it must be seen as a service function a source
of help and comfort, and assurance that a technically successful project wont
be criticised after implementation over governance issues the IT Group was hardly
aware of. This is largely a social matter, but an Internal Control Group can hardly
be expected to be respected, or even accepted, by the technologists in the IT
Group unless its members have experience and technical knowledge that the
IT Group respects and unless the Internal Control Group acts as mentors instead
of policemen or technology superstars.
Practical experience of governance

At a round-table entitled IT Governance: The Role of measurement and
metrics, held in London November 2004 by Managed Objects (the inventors
of Business Service Management and now part of Novells Business Service
Management practice [ManObj, web]), Ron Whitehand (SVP, Computer
Sciences Corp EMEA) described, in CSC, a governance-focused organisation.
Whitehand points out that as a service provider to many large, and not so large,
companies across the globe, CSC has to make sure that its relationship to its
clients is good, in order to deliver the service its customers expect. IT
governance is often confused with external control, he says, but its an internal
thing, and has to be directed at managing the value delivered as well as the much
more straightforward problem of controlling costs.
We spend a lot of time, not talking about governance per se but just doing
governance, he says. Its not a big item on our agenda, we just have to get on
with it because any services company has to worry about relationships and value
34
delivered to the client, and the more we can demonstrate that this is a value and
the more we can get the client to find it with us, the more we can help him its
a mutual benefit.
Theres a whole range of layers around how we do this, Whitehand continues,
ranging from the old-fashioned SLA (Service Level Agreement), where we
measure the uptime of every component in a service through to the total
availability of a business process. It depends on the maturity of the client, how
theyre managed, how far we can take them on the journey towards IT
governance or towards business governance, which is what really matters.
Metrics, Whitehand says, are very important, but theyre not the be all and end
all. You need to understand the value of the metrics. CSC is adopting a balanced
scorecard approach (which balances hard financial bottom-line metrics against
softer metrics relating to intangible assets such as morale and customer
satisfaction [BalScore, web]. Other participants at the roundtable, Thomas Mendel
(principle analyst, Forrester Research) and Dr Jim White (Business Technologist,
Managed Objects) confirmed that there were signs of a resurgence of interest
in balanced scorecard since their first popularity almost a decade ago [Kaplan
and Norton, 1992] [Kaplan and Norton, 1996]. This may be due to the availability
of better automated metrics, so the choice of metric is driven by business need,
not the accessibility of the metric. According to Whitehand, balanced scorecard
helps you easily identify management disconnects and gaps in your metrics, but
you need to introduce it gradually, you cant simply take three years off to deliver
a big bang balanced scorecard solution.
The developers of balanced scorecard, Dr Robert Kaplan and Dr David Norton
working at the Harvard Business School, said some 15 years ago: The
balanced scorecard retains traditional financial measures. But financial measures
tell the story of past events, an adequate story for industrial age companies for
which investments in long-term capabilities and customer relationships were
not critical for success. These financial measures are inadequate, however, for
guiding and evaluating the journey that information age companies must make
to create future value through investment in customers, suppliers, employees,
processes, technology, and innovation.
What this implies, of course, is that IT Governance based entirely on cost control,
while comparatively easy to formulate and implement, will not deliver
governance of all those aspects of an organisation that are required for success
today.
35
And as an aside, in CSCs world of outsourcing, the contract services are based
in SLAs (we will do something for you on this day, or our networks will be up,
or someone will answer the phone in a given timeframe and resolve your problem
on the phone in a given timeframe too), so performance against SLA may be
an important metric for governance.
Of course, the IT Department should be relating to outside customers anyway,
but one speaker didnt think that they usually do; although those that do see it
as part of the business are probably the most productive and forward-looking
companies. Nevertheless, there are potential issues with making the IT Group
part of the business. In a previous life, Whitehand says, I actually ran internal
IT services for a company and I did engender a kind of governance board to
understand what my clients wanted inside the company. But it turned into the
very thing youre talking about, Tom [Thomas Mendel], which is were going
to control you.
Although Whitehand believes in understanding quite as much as you can about
what the client wants and what the business wants, because the customer is
the final arbiter of where youre going, he doesnt think that business managers
should try to control technologists directly. So he cancelled that governance
meeting, because it was of non-value to the company it just turned into lets
stop them spending money and doing stuff [although] it was probably a bit
highhanded of me at the time.
Business managers do not generally know enough about technology (at the
cutting edge, especially) to effectively manage technologists who may know more
about technology and its implications than they do. Similarly, we have seen a
business-focused IT group that thought that it knew more about the business
process than the business itself. It probably did, at the start, but it couldnt maintain
this knowledge of the business cutting-edge without actually being involved in
the business day-to-day (perhaps this is less true in a user-focused development
environment such as eXtreme Programming).
Finally, Mendel made an illuminating remark to the table generally: If you ask
IT directors and CIOs about governance you may be asking the wrong people,
he said, because from what we can tell all the initiatives around managing the
risk of IT delivery, making your IT processes produce business value, those kind
of things, theyre all not driven by IT, not in the beginning anyway, theyre driven
by the end users, by the Board, so the understanding of what governance means
to IT will come as a second step. Were in a first phase, he continues, where
the business is starting to demand from IT an understanding of what products
36
were producing and how these compare with those from external markets, rather
than just internal service delivery.
Now, perhaps, is the opportunity for a mature IT department to move ahead of
the curve and start to pre-emptively deliver the style of IT governance the Board
of the company is coming to expect.
In the next chapter we look at the impact of IT governance on the IT department
specifically.
37
Chapter 4
The impact on IT
Enterprise Architecture
IT Governance Standards
IT service management
Lifecycle systems development process
Management reporting: Telling a true story
Practical IT governance tools
Chapter 4
The impact on IT
AberdeenGroup research indicates that industry is wasting
an estimated 15 to 25 percent of its IT investment. Most
organisations have effective investment and cost control
mechanisms in place for facilities directly affecting production, but in very few cases are these mechanisms applied to
the organisations computing resource.
FROM THE FLYER TO THE ABERDEENGROUPS STRATEGIC ENTERPRISE IT BUDGET REALITIES
BENCHMARK REPORT, DECEMBER 2004.
IT governance will have an impact on IT there will be some things that IT staff
want to do that they wont be able to do after you implement IT governance
and new initiatives that theyll have to buy into. If implementing IT governance
has no effect on the way you work, one wonders why youre bothering.
This impact must be managed, as must the fear that IT governance will get in
the way of productivity and increase bureaucracy for its own sake. It may be
worthwhile pointing out that unproductive IT wasting resources often by
building the wrong things and engaging in rework until you get it right is
itself a symptom of poor IT governance. You could do this in IT governance
workshops, as part of the introduction of IT Governance. The point to stress is
that IT governance is intended to produce a positive business benefit although
you may have to invest up front in order to achieve a longer term benefit, always
try to identify and publicise short-term benefits on the way. It is usually best to
catalyze the implementation of IT governance with an obvious short-term benefit,
such as the prospect of regulatory fines (or worse) if you dont get your house
in order.
You dont have to do it all at once if you take a process-driven approach to IT
Governance. You can put in place processes to address immediate problems (as
long as you think a bit about the big picture context), measure the consequences
of this and use these metrics to justify further investment or, perhaps, to change
the process youre adopting. It is best to get it right first time, but it makes no
40
4 T H E I M PA C T O N I T
sense to persist with something that isnt working (although you should learn
from the experience for the next time).
Promoting IT Governance should be made part of an employees conditions of
employment and the promotion of good governance recognised in pay awards
and staff appraisals. A necessary (but not sufficient) requirement for good IT
governance is the availability of a proper security policy and adherence to this,
and promotion of good governance generally, should be mentioned in standard
employment contracts and, more importantly, made part of staff induction training.
So, to summarise, the most important effect on the IT Group is that it will have
to become a process-oriented organisation with a measurement culture it should
make fact-based decisions, not decisions based on gut feelings and outdated
rules of thumb. The idea is that the IT Group will be able to say what it is going
to do about IT issues (including things like compliance, reliable business service
delivery and other governance issues), evaluate its success in doing it and change
what it does next in order to reduce the gap between aspiration and achievement.
This is the essence of good governance.
An organisation may find the adoption of an industry-accepted Code of
Practice such as that from the British Computer Society [BCSCode, web] is helpful
in inculcating a good IT Governance culture in the IT group.
Enterprise Architecture
Enterprise architecture [BloorEA, web] or EA, is one of those terms which
means many things to many different people. However, in essence it should
represent the intersection between business strategy and policy and the IT
strategies and policies which implement it. This makes it central to IT
Governance if you see IT Governance, as we do, as a subset of corporate
governance generally.
EA brings different views of an organisations automated systems the
business view, the IT view, and a view of what the data in the system actually
means, the semantics into one place. This puts business automation into
business ownership and helps you build the right automation as well as building
the automation right; which is part of the essence of good IT governance.
EA also helps change impact analysis, delivering no surprises to both business
and IT, another aspect of good governance, and it helps you manage the linking
of technology systems with partners and customers. In general, EA helps you
41
to manage a well-governed transition from where your automated systems are

now to where youd like them to be without losing the ability to do business
effectively on the way.
IT Governance Standards
The ISO/IEC 38500:2008 IT Governance Framework
Good governance must be institutionalised in an organisation from top to bottom,
so the place to start is at the very top, with senior management. A good way
for the Board to demonstrate its commitment to good IT governance is to adopt
an industry standard such as ISO/IEC 38500:2008 [ISO38500, web], which provides
a ready-built framework to help board-level (CEO, COO, CIO etc.) senior
management understand and meet its legal, regulatory and ethical obligations
surrounding the use of IT in their organisation.
This standard defines terms and principles and provides a governance model
to support your organisations customised governance framework. It is based
on responsibility, strategy, acquisition, performance, conformance and human
behaviour principles that should guide management decision-making; and it
provides 3 high-level IT governance objectives:
1.
Assurance. Giving all its stakeholders confidence in the organisations

use of IT in a business context.
2.
Guidance. Helping directors to govern IT effectively.
3.
Objectivity. Providing an objective basis for evaluating corporate IT

governance.
Alison Holt, Chair of the IT Governance Working Group in ISO says: This
standard is targeted at the Board of an organisation, to assist the Board in delivering the maximum value from IT and information assets across the organisation.
[ISO38500PR, web] This underlines a key point: IT governance must not be seen
just as a cost of doing business, it should be seen in a positive way, as delivering real value from ensuring that IT assets are being used effectively,
innovatively and appropriately, without waste.
Other enterprise architecture frameworks (such as TOGAF [TOGAF, web] or
Zachman [Zachman, web], can also be useful, to help an organisation govern
the way IT appears to the business.
42
An organisation will need to customise its own IT Governance framework but

it should aim to write as little new organisation-specific material as possible and
supplement principles and structures with links to industry initiatives and practical
training courses in the governance-related initiatives it chooses to adopt. An
organisations governance framework might cover, in a couple of dozen pages
at most:
A high level IT Mission Statement: values, aims, principles and

accountability.
IT Governance roles, responsibilities and reporting structures.
Any Code of Practice the organisation expects its IT staff to follow and
why.
A list of the governance-related initiatives that the organisation has

chosen to adopt and its objectives for these initiatives. These will provide
the meat of IT Governance and might include ISO/IEC 38500, ITIL v3
and COBIT, for example, but their content need not be repeated.
A list of specific laws and regulations the IT part of the organisation

must comply with. This might include the UK Data Protection Act and
the Regulation of Investigative Powers Act, for example.
ISO 27000 Security Standard

Information Security is a necessary, but not sufficient, aspect of IT governance,
and is supported by the ISO 27000 series of security management system
standards [ISO27000, web]. These also deal with risk assessment, which is an
important part of IT governance, and the identification of likely risks and
appropriate controls.
Other ISO standards

Standards such as ISO/IEC 20000 and/or ITIL v3 (IT service management and
service delivery), PRINCE2 (project management), ISO/IEC 24762 (IT disaster
recovery), and their supporting tool-sets will help IT practitioners to deliver wellgoverned IT services to the business.
COBIT
COBIT [COBIT, web] is an overall IT governance framework widely accepted
in the IT industry and mappings from it to other standards/frameworks are
43
available (sponsored, for example, by the OGC [OGC, web] and the IT Governance Institute [ITGI, web]) and are becoming higher profile as they are generally
recommended as a basis for Sarbanes-Oxley compliance. It provides a highlevel focus on what the business needs from IT and classifies its objectives into
four general domains:
plan and organise;
acquire and implement;
deliver and support;
monitor and evaluate.
COBIT has a long history; it was created by the Information Systems Audit and
Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992, in
the context of the COSO (Committee of Sponsoring Organisations of the Treadway
Commission) corporate internal control process. It was first published in 1996
and Version 3 was made available online in 2003. The fourth edition introduced
fairly fundamental changes at the end of 2005. It targets managers, auditors,
and IT users with a set of generally accepted measures, indicators, processes
and best practices that should help maximise the benefit from IT by asking
questions about its processes such as: is this important for our business objectives?, is it well performed?, who does it and who is accountable?, are both
process and control formalised?.
IT service management
Business service management
The first part of our working definition of IT governance (see Definition of IT
governance in the Management overview) is that its that part of corporate
governance in general which ensures that automated systems contribute
effectively to the business goals of an organisation. Now, it probably isnt the
only possible approach to IT governance, but if you want to implement IT
Governance firmly in the context of corporate governance as a whole, it helps
if IT takes a service-oriented approach (built on a Service Oriented Architecture
or SOA). As David Chappel of Sonic Software says in the introduction of his
work on the Enterprise Service Bus [ESB, 2004], An SOA [Service Oriented
Architecture] provides a business analyst or integration architect with a broad
abstract view of applications and integration components to be dealt with as highlevel services. He goes on to point out that an Enterprise service bus (ESB) ties
44
together applications and event-driven services in a loosely coupled way, which

means that they can be treated independently, but still in the context of an overall
business function.
It is a fundamental thesis of this report that IT Governance is about IT in the
service of the business, whether its about returning an ROI in the form of
assistance to moneymaking business processes, or about the avoidance of waste
(and IT without a business purpose is a waste of resources), or about the satisfying
of business regulatory or compliance requirements. From this point of view, the
service-oriented approach to IT simply makes effective, business-oriented
governance easier although there are other technical reasons why SOA, and
perhaps even ESB, will be important strategic directions for IT.
However, this is a top-level, architectural view of the matter. Nevertheless, a very
similar view is emerging bottom-up, from the (often neglected) IT operations
world, in the form of Business Service Management (BSM), a term which
Managed Objects [ManObj, web] claims to have invented but is now also used
by BMC and HP.
According to HP, its BSM solution (which is based on its well-established HP
OpenView product range) provides CIOs, business process owners, and key
application owners with a view of their business processes from a customer
perspective [OpenView, Web]. This should enable them to maintain a clear
understanding of the high-level health of their computer infrastructure and the
applications on which the business processes depend certainly an aspect of
IT governance.
According to BMC Software [BSM, Web], Business Service Management (BSM)
provides an incremental approach to understanding and meeting your specific
business needs. With BSM, you can identify the best technology solution to
support your business and make the most of your current investments. You can
deliver faster, more comprehensive and consistent services, increase revenue
opportunities, lower the cost of ownership and reduce the risk of unnecessary
IT expenditures. BSM obviously addresses the first part of our definition of IT
Governance, to do with serving the business effectively, and goes on to deal
with the middle part, the management and mitigation of IT risk.
An important practical part of the BMC BSM picture is the Atrium Configuration
Management Database (CMDB an ITIL term, see below [Atrium, Web]),
which provides information sharing and centralised management across both
BMC and third party solutions. BMC claims that Atrium provides a single source
of truth for your IT environment, an important basis for effective, manageable
45
IT Governance (even if you dont choose to obtain it with Atrium, it is an issue

you will have to address).
BMC identifies the following entry points to BSM:
Service level management
Incident and problem management
Infrastructure and application management
Service impact and event management
Asset management and discovery
Change and configuration management
Capacity management and provisioning
Identity management.
If you go back and compare these with the list of desirable processes in the
previous section (under CMMI) you see a considerable overlap. You can come
at IT governance top-down, from a process-oriented and process-improvement
angle; or you can come at it bottom up, from best practice infrastructure procedures such as ITIL (see below). Business Service Management can provide a
good framework for presenting an integrated IT governance policy to both IT
operations staff and even operational staff in the business; whereas the
process-oriented view can appeal to upper management and regulators. In reality,
both views are complementary.
ITIL
Vendors usually promote Business Service Management but there should be a
standards-based approach underlying it. This is usually ITIL, the IT Infrastructure
Library [ITIL, Web], which was developed by the UK CCTA (Central Computer
and Telecommunications Agency) in the late 1980s and is now owned by the
UK Office of Government Commerce (the OGC ITIL is both a Registered and
Community trade mark of the OGC) and adopted worldwide.
The ITIL documentation has been revised during 2000 to ensure that it is
consistent with, and forms part of a logical structure with, the BSI Management
Overview (PD0005) from the British Standards Institute (BSI), BS15000-1
(Specification for service management) and BS15000-2 (Code of practice for
service management). The British Standards Institutions Standard for IT Service
Management (BS15000) supports ITIL and, unlike ITIL itself, is a standard
that you can certify against.
46
ITIL is a library of books describing best practice taken from both the public
and private sectors internationally, together with a qualifications scheme,
accredited training, and tools to assist with implementation and assessment. It
now includes ITIL Live [ITILLive, web], which promises to make best practice
more agile and interactive. ITIL certainly isnt limited to UK practice or to public
services organisations, despite its ownership by an office of the UK government
it is, in fact, a general framework for IT governance, suitable for small, medium
or large organisations, which must be customised to the needs of any particular
organisation. A whole philosophy of infrastructure management has grown up
around ITIL and the environment needed to support it.
A comprehensive ITIL FAQ is available on the Web [ITIL FAQ, Web] but
organisations planning to implement IT Service Management might also want
to read Planning to Implement Service Management, which explains the steps
involved in implementing or improving IT service provision [PlanISM, 2002].
There is also an independent not-for-profit user group (including vendors) called
the IT Service Management Forum or itSMF [itSMF, web], which claims to be
a major influence on, and contributor to, industry best practice and Standards
worldwide, working in partnership with a wide range of governmental and
standards bodies.
To use ITIL you really need to buy the library; we cant cover it all here. However,
we will provide an overview of its structure and scope, although this is not a
definitive guide to ITIL, which is well-documented by the OGC.
ITIL is all about best practice for well-governed IT service delivery; an important aspect of IT governance (but by no means all of it). Its emphasis is changing
towards holistic service management, including business outcomes, and
process improvement, although not every ITIL practitioner has caught up with
the spirit of the latest version of ITIL yet.
ITIL now covers:
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement
47
SERVICE TRANSITION/OPERATION: CONFIGURATION MANAGEMENT
This provides a foundation for other processes such as Incident, Problem, Change
and Release Management. It maintains a logical model of the IT infrastructure,
stored in federated CMDBs (Configuration Management Databases) and built
from configuration items (CIs). It identifies, controls, manages and verifies the
version of each configuration item. Configuration management involves
planning (in detail for 3-6 months ahead and in outline for 12 months past that);
identification of CIs (ownership, and unique id, for example); control of CIs under
change management review; status accounting and tracking; verification and
audit of CIs. Configuration management, see [LacyNorfolk, 2010], is necessary
(but not sufficient) for effective IT Governance.
SERVICE TRANSITION/OPERATION: CHANGE MANAGEMENT
This controls changes to CIs in the production environment and has to balance
the need for systems improvement (driven by changing business or the
discovery of defects) against the potential risk associated with making changes.
Change Management shouldnt be limited to the live environment, although
organisations often rely on project change processes to manage change within
ongoing, developing, initiatives, although this can be risky if change to the
testing environment is not managed, for example, how can you be sure that the
environment you validate changes in corresponds to the live environment, which
has consequent risks for live business service delivery. Change Management
typically deals with raising and documenting a change request, assessing its
impact, cost, benefit and associated risk, obtaining and documenting change
approval, managing the implementation of change, reviewing the change and
closing off the request.
SERVICE TRANSITION/OPERATION: RELEASE AND DEPLOYMENT MANAGEMENT
This is the holistic management of both the technical and the non-technical aspects
of major or critical changes. It plans and oversees the successful roll-out of new
and changed software and associated hardware and documentation across a
distributed environment. Release management includes, but is rather more than,
software control and distribution.
SERVICE OPERATION: INCIDENT MANAGEMENT
This is about detecting and recording incidents (events impacting service levels),
classifying them, diagnosing the root cause of the incident and resolving it, with
the aim of restoring normal service as soon as possible, with minimum disruption
to the business.
48
SERVICE OPERATION: PROBLEM MANAGEMENT
This is similar to incident management, except that problems encompass the

wider issues behind incidents. An important aspect of problem management
is trend analysis and the proactive prevention of problems/incidents. Problem
management is more-or-less the opposite of firefighting. Problem management
should supply the organisation with relevant management information reports.
SERVICE OPERATION: SERVICE DESK
This is the central point of contact with the IT Service Organisation for users
experiencing problems. A good Service Desk can have a disproportionate effect
on customer satisfaction. A good target is to close most service requests at first
point of contact with the Service Desk. Service Desk is preferable to the older
term help desk, as it reflects the wider scope of a service desk facility. The Service
Desk can be expected, these days, to be proactive, suggesting ways in which
problems can be addressed before they appear.
SERVICE OPERATION/CONTINUAL SERVICE IMPROVEMENT:

SERVICE LEVEL MANAGEMENT
The aim of this is to document and agree service level agreements (SLAs) between
the providers and consumers of IT services, and improve service levels over time,
as the business changes. It is usually important that SLAs are business-oriented,
as the availability of one component is of no interest if the service it helps support
isnt available to the business.

CAPACITY MANAGEMENT
The aim of this is to ensure that capacity (disk space, computer power etc.)
increases or decreases in line with anticipated business volumes and performance needs. There should be a capacity plan, which is agreed with management
and assigned a budget, so that it can be implemented to ensure that (in particular) lack of capacity doesnt impact the business. There are three main areas
of Capacity Management:
analyzing future business plans and ensuring that adequate capacity

will be available;
analyzing the services provided to customers and anticipated future

demand, so that lack of capacity doesnt impact service levels; and
analyzing and monitoring the resources used by the IT infrastructure,

so that resources dont run out.
49

FINANCIAL MANAGEMENT FOR IT SERVICES
This is a vital part of IT Service Management and is really just the good financial
governance of the IT infrastructure management and reduction of costs,
calculation of cost of ownership and return on investment, effective utilisation
of resources, management of internal and external contracts and, of course
provision of financial reporting information to management. You would expect
an IT organisation to be able to account for the money it spends and to allocate
this spend to the provision of defined services. Most organisations will also want
to recover these costs from the users of these services, and possibly to
influence customer behaviour, by means of some form of chargeback.

AVAILABILITY MANAGEMENT
This concerns itself with ensuring that IT resources are available as and when
needed by the business to satisfy its objectives. It is usually a balance of cost
and demand, tempered by business criticality redundancy, for example, helps
to ensure availability but increases the cost of the infrastructure, with
redundant components lying idle (unless you exploit some form of grid or ondemand computing model), so is only used for critical components. Availability
Management will monitor service availability against the appropriate service
level agreements, and adjust targets and agreements as appropriate.
CONTINUAL SERVICE IMPROVEMENT: BUSINESS CONTINUITY MANAGEMENT
This is a superset of IT service continuity management (there is no point in

ensuring IT service continuity if the business cant make use of the service because
something else cant be recovered). This is typically about having tested
recovery plans for IT components in the event of a disaster or major failure
impacting the business (it is also known as contingency planning or disaster
recovery), but the need for management of the recovery process, and the people
issues involved (including customer and public confidence) cant be overemphasised. The recovery plans must be regularly reviewed to make sure that
they remain in alignment with the needs of the business (and that the processes
being recovered are still current), and are worthless unless and until they are
tested which should be repeated regularly.
ITIL is not a fixed standard but is evolving in response to feedback from its
stakeholders, although it is probable that there wont now be any new versions,
as such; it will evolve and extend under the aegis of ITIL Live [ITILLive, web].
The latest version hasnt materially changed most of the earlier best practices
50
but the spirit and scope of ITIL has been brought into line with modern thinking.
It is taking on a knowledge management aspect through ITIL Live, with case
studies, subject matter expert white papers, implementation packages, business
cases, etc., complementing the core content; and additional material to support
the value proposition associated with ITIL.
Lifecycle systems development process

The process that most affects the IT group is the lifecycle development process
(sometimes called Application Lifecycle Management, originally promoted by
Borland, now part of Micro Focus [ALM, web]) lifecycle meaning that you apply
as much or more weight to the business operation and continuing maintenance
of IT systems as to the initial development. After all, most systems spend far
longer, and consume more resources while in maintenance than they do during
development.
The implication of this is that it is generally wrong to think in terms of IT projects
if you want to develop automated systems that contribute effectively to the
business goals of an organisation. An engineering project, such as a bridge, is
complete in itself. It starts, it has resources more or less exclusively assigned to
it and it finishes when you can evaluate its success or failure. Maintenance has
minimal effect on the function of the bridge. In contrast, a software engineering
project is actually part of a programme Geoff Reiss writes about Programme
Management Demystified [Reiss, 1996] in the follow-up to his book Project Management Demystified [Reiss 1995]. Programme management is, according to Reiss,
the co-ordinated management of a portfolio of projects which call upon the same
resources. The IT group is usually working on several projects at once and most
of its effort is often devoted to the integration of these projects with each other
and with the operational systems already installed. The members of a software
engineering team ostensibly devoted to a single project will be involved in the
maintenance of previous projects they have completed, and may be adding considerable new business functionality during maintenance, and may be called upon
to provide particular expertise to other development projects. Two of the characteristics of programme planning that Reiss identifies are relevant to the issue
of IT Governance:
1.
The team must ensure that the projects aim helps the organisation
forward.
2.
Concentration on the corporate objectives.
51
What this means in practical terms is that the development and maintenance
of automated systems must be firmly based on the analysis and prioritisation
of business requirements (including regulatory requirements). It must be possible
to trace through from business requirement to code and vice versa. Code should
contribute to an identifiable business objective (even if indirectly, as some code
is there for technical reasons) and if it doesnt it shouldnt be there; defects and
failures should be categorised/reported in terms of the business services they
impact.
So, the IT Group can expect to be involved in Business Process Management
(BPM) using languages such as BPEL (Business Process Execution Language)
and Requirements Management. It will be generating at least the framework
of an automated system from Analysis and Design models, derived from
Requirements models in fact, it may well adopt Model Driven Development
as a discipline. Iterative development with constant reference back to the endusers of the system will be the norm (even eXtreme Programming) and, of course,
testing will be key to building the final system.
Developers will be as familiar with modeling languages such as UML2 as with
coding languages, because abstraction via models lets you more easily
understand and validate complex automated systems. And, of necessity,
management will give developers realistic schedules, which mean that they have
the time to ensure that their automated systems really do align with the business
goals of the organisation.
There are many standard development processes, so writing your own from
scratch (which is how many of the currently available ones started) is no longer
particularly useful. Most of them are supported by vendors; IBM/Rational RUP
(Rational Unified Process) is a notable, and respected, example. The issue with
a vendor-supported process is that it may focus on areas where the vendor has
tools to sell; and it may not abstract its physical implementation from its logical
model sufficiently. Ideally, a process should be implemented as a meta-process,
used to instantiate a specific process for a particular activity (although the
availability of pattern instantiations for typical business situations would make
sense).
Nevertheless, many organisations get on well with commercial development
processes there are potential issues but as long as youre aware of them, then
they can provide a good basis for governance of the development process.
However, well look at a couple of vendor independent development processes,
in order to illustrate the IT governance issues.
52
Atern
The DSDM (Dynamic Systems Development Method) Atern [Atern, web] is an
accepted methodology for Rapid Application Development (RAD), originally
developed by a consortium sponsored by IBM [PCNetAdv, web]. DSDM is
designed to be flexible Agile and relies on iterative development, using
prototypes, within a non-prescriptive framework. It really consists of a nonprescriptive collection of best practices.
Aterns interactive lifecycle talks about:
1.
Feasibility and Foundation Studies: these evaluate a proposed

development for business justification and decide whether using DSDM
is appropriate. A Feasibility Report, possibility including an initial
solution prototype, is produced.
2.
Exploration: this phase reviews the business process the IT system

should support, develops an outline prototyping plan and identifies
external stakeholders (such as user sponsors and workshop representatives).
3.
Engineering: this phase uses prototypes to model the required

system, identify non-functional requirements (such as performance
and regulatory issues) and produces a functional model and the
implementation strategy and cost benefit analysis. The functional
prototype is refined using feedback from the business to drive the
production of new prototypes. After sufficient iterations, this phase
delivers a working system, which addresses all the agreed stakeholder
requirements.
4.
Deployment: this phase moves the tested system into the users
production environment and will include any user training required.
An important, distinguishing feature of Atern, in addition to Iteration, is time

boxing. This recognises that scheduled delivery dates are important to the
business, so if the project is slipping it maintains the agreed delivery dates by
negotiating a reduction in functionality for the relevant prototype, instead of
(say) reducing quality. With Atern, dates do not slip but functionality is
negotiable. Other Atern practices include Facilitated Workshops, Modelling and
MoSCoW (Must, Should, Could, Wont have) prioritisation.
The essence of Atern lies in its eight principles:
1.
Focus on business need. Atern takes a user-centred approach,

ensuring that users are closely involved throughout the development
53
life cycle as active participants in the overall process. All changes during
development are reversible. Atern supports the idea of backtracking
to earlier states once iterations of the software stop satisfying the needs
of the systems stakeholders. Obviously, this requires work to be
performed within a development environment that supports the return
to earlier products.
2.
Deliver on time. The focus is on frequent delivery of products. Atern

is more concerned with the products of a project than the activities
per se. Each product is produced within an agreed period of time or
timebox (generally a short time period, as for earlier RAD approaches),
with the team responsible able to choose its own approach to
delivering that product.
3.
Collaborate. The developers, users and other stakeholders in a Atern

project work together to clarify the business need and ensure that
development satisfies that need. This contrasts to the contractual
approach of traditional development processes, where users are
expected to have all their requirements fully elaborated prior to
implementation and the developers provide a clear specification of what
will be delivered. Atern is more realistic in its approach, reflecting the
hard won IT experience that requirements evolve, due to developing
understanding and a changing external environment.
4.
Never compromise on quality. Fitness for business purpose is the

essential criterion for acceptance of deliverables. Atern is aimed at
delivering necessary business functionality when it is needed, with an
acceptance that there may be a need for subsequent refinement. This
contrasts to more traditional approaches, which can degenerate into
slavish delivery of requirements, even after it has become recognised
that the requirement has been overtaken by events or was simply plain
wrong. Testing is integrated throughout the lifecycle. Testing of Atern
products is performed on a continuing basis as an integral part of the
overall work. Testing involves both the developers and users, and is
concerned with both the verification and validation aspects of the
product.
5.
Develop iteratively. Business users often dont really know what they
want from an automated solution until they have hands-on experience
with a prototype business requirements evolve during development.
6.
Build incrementally from firm foundations. The Atern approach

favours incremental development, with a significant level of feedback
54
from users. This helps the rapid satisfaction of business need and builds
in iteration, in contrast to the view that re-work is managed under an
exception procedure, which can be common in other development
approaches. This is all believed to facilitate achieving rapid and
continuing benefits in DSDM. Requirements are initially base-lined at
a high level. Atern agrees the high-level requirements at the start of
the project, fixing an agreed scope and purpose of the system overall.
This provides a framework within which detailed investigation of the
requirements can be conducted.
7.
Communicate continuously and clearly. The development of automated

systems is, in general, an exercise in communication between all the
stakeholders in the business systems being automated, not just the most
immediate stakeholders.
8.
Demonstrate control. DSDM teams must be empowered to make

decisions. The Atern teams combine developers and users, who have
the power to decide upon functionality, etc. However, all the
stakeholders must have confidence that development is leading,
effectively and efficiently, to a desired business outcome the essence
of IT Governance as it applies to systems development.
Atern is particularly useful to IT governance because it increases user involvement in IT projects and preserves external delivery dates; both of which help
reassure external stakeholders in IT, in the business, that IT is under control.
eXtreme programming
IT developers, in particular, are often frightened of process (and, indeed,
governance) because of a fear that it will restrict their creativity and put a pile
of paperwork in the way of their productivity. In fact, this fear is usually unfounded
building on an accepted process frees developers to be more creative, to do
more and much of the required documentation can be machine-generated (a
computer-maintained UML model of a system is better documentation than a
folder-full of paper).
Nevertheless, an Agile development process has grown up in the light of these
fears valuing people over process and output of working systems or
prototypes over abstract documentation Thoughtworks [Thoughtworks, web]
is a good example of a consultancy espousing Agile principles, not only in dealing
with customers but also internally.
55
An extreme example of Agile development is eXtreme Programming (XP). It isnt

really defined anywhere (one of its principles is that if XP is broken, you are
allowed to fix it i.e., you can customise your own version of XP) but it is generally accepted that Kent Becks book, eXtreme Programming Explained [Beck, 1999],
is a good starting point. An XP process will consist of a set of good practices,
for example:
Start by collecting short user stories from your users, consisting of

a description of some feature of the new system and an acceptance
test. Build a release plan, delivering useful business function, by
grouping user stories together.
Deliver project iterations taking about 1-3 weeks, selecting the

deliverables for an iteration from a prioritised list of user stories and
failed acceptance tests.
Program in pairs, two programmers working on the same code on a

single terminal. Youd think this would reduce productivity but, in fact,
it increases it because it reduces rework (neither partner can tolerate
unclear code from the other and they spot each others omissions).
Keep things as simple as possible for as long as possible, by never

adding functionality before it is asked for in a user story.
Refine the design to remove redundancy, eliminate the unnecessary

and rejuvenate tired designs whenever and wherever possible. This
is called re-factoring and is an area where experience is vital. Its all
about removing unnecessary features and complexity, not about
optimising performance and adding new features.
In marked contrast with the expectations of people who dont know XP, it can
be very compatible with good IT governance, and even process improvement
approaches such as CMMI. The user involvement ensures that the IT project is
aligned with the business; the emphasis on tests for each and every requirement, and constant repetition of the tests as the build changes, promotes quality;
incremental delivery ensures that projects dont run out of control. However,
XP requires an extremely disciplined development team at least as disciplined
as for normal development, possibly more so and some people adopt XP-But
(as in we do XP but we dont bother with all that awful testing) which wont
deliver the same results.
According to Kent Beck (op. cit.):
XP is my baby, XP reflects my fears I am afraid of doing work that doesnt
matter; having projects cancelled because I didnt make enough technical
56
progress; making business decisions badly; having business people make

technical decisions badly for me; doing work that Im not proud of.
If your programmers think like this, then XP delivers good development governance. If they dont, well, that is a management issue.
Management reporting: Telling a true story

The last part of our working definition of IT Governance (see Definition of IT
governance in the Management overview) is that it ensures that, automated
information systems (including financial reporting and audit systems) provide
a true picture of the operation of the business.
Demonstrable audit controls

Everything in IT governance contributes to this but in the end it is a question
of security not of Confidentiality, but of the often overlooked Integrity and
Availability aspects of security. Many systems provide audit trails, but how many
of them protect the audit trails from systems administrators? If they dont, the
audit trail may prove to be worthless in court if it ever comes to that its Integrity
can be compromised. And, if access to audit data (and legislation such as the
UK Companies Act allows auditors access to any data that they need for their
audit) hasnt been considered in advance, its Availability may be compromised
it may take too long to retrieve, the detail may be lost in an aggregation, the
data format or physical medium may be obsolete. Audit data is only really useful
if you know that you can prove it hasnt been tampered with and that you can
read it if you had a nine track tape of IMS transactions from 1980, could you
find the hardware to read it on, run a version of IMS that could recreate the
transaction, prove that no-one tampered with it 25 years ago and understand
the application well enough to make sense of the business behind the
transaction? Some people think that the only truly reliable audit records are
human -readable document images, written in duplicate (with each duplicate
stored in a different location) using standard document formats on robust media
but the implementation details of this will depend on the precise requirements.
In fact, without special provisions, computer forensics can usually demonstrate
that computer data hasnt been tampered with or that it has been (beyond
reasonable doubt) by analyzing the time stamps and similar data attached to
changes by the operating system. However, youd be unwise to rely on this, if
57
only because computer forensics experts are expensive, especially if theyre expert
on obsolete computer systems.
It is better to build audit trails into the system design and possibly copy them
securely into a system that only the auditors or internal control group, not the
usual system administrators, have access to. However, in practice, this is not
always easy: not all operating systems have fully granular security permissions,
with no super users (in fact, few do). You perhaps need to give systems
administrators the power to change everything except audit data (this may be
needed in order to fix problems) although you might want to provide controls
on the exercise of these powers; but you might also want to give the auditors
the power to see everything, including normally confidential data, but change
nothing. When you try to implement such schemes, you discover that you need
a sophisticated, rules-based security scheme but effective schemes like this arent
common when you delve into the details. Taking two examples from the past,
Windows NT had the granularity, but was too hard to manage and seldom
implemented properly; Novell Netware (after v4) had the sophistication and
directory-based manageability, but still supported superuser (all powerful) IDs
(including legacy admin IDs from a previous security model); neither implemented
roles fully.
Encryption can come to your aid, not for Confidentiality but for non-repudiation.
By encrypting a hash total derived from a document and transmitting the
encrypted data alongside the document, you can prove that it hasnt been altered
(by checking that the received document hashes to the same figure as the original
did); a similar approach can be used for digital signatures (remembering that
an email, say, is effectively digitally signed anyway, in practice). However,
providing a hash signature for everything an auditor may ask about, may prove
impractical.
When you design financial reporting, it must be based on proper analysis of
both the business and regulatory requirements and fully tested. This extends
to the audit trail of changes to the financial record. Think in terms of
demonstrating the integrity of your financial reporting in court, not in terms of
a computer science exercise (being logically correct is necessary, but may not
be sufficient). This is an area where role-playing games in a training situation
can concentrate peoples minds on the issues.
58
Practical IT governance tools

This report does not aim at being a buyers guide to IT governance software.
Nevertheless, examination of a few representative products may be of value, as
giving an idea of the sort of computer assistance that is available to an IT
governance project. However, there are many more tools out there to choose
from as well.
1. Atego Process Director [ProcDir, web]

This addresses the management of Software Development process, one step above
Software Development Process itself and is an aid to process maturity it appears
to markedly speed up CMMI level 3 assessments, particularly in two areas:
Organisational Process Focus: To plan and implement organisational

process improvement based upon a thorough understanding of the
current strengths and weaknesses of the process and process assets;
and
Organisational Process Definition: To establish and maintain a set of

organisational process assets.
Process Director comes with a range of processes in the box: Waterfall, Prince
II (a UK Government sponsored project management process); and Alignments
to DSDM, Agile/XP and others. You can use these as a basis for developing a
process customised to your own development requirements, without the risks
associated with reinventing the wheel from scratch assisting real IT governance
at the process level. The latest version of Process Director has a process consumer
dashboard and provides BPMN diagrams with which to describe process.
If you think that being in control of the end-to-end development and deployment
process is an important aspect of IT governance, Ategos Process Director is
the sort of enabling tool that could help you achieve this; although, of course,
it cant do it for you. As with most areas of IT management, cultural issues are
important when implementing process and people issues at least as important
as technology issues.
2. Compuware Changepoint [Changepoint, web]

Compuware Changepoint is a holistic IT business portfolio management tool
that enables organisations to implement effective governance models, providing
the organisation with a framework for measuring and managing IT value, cost
59
and risk. It also helps you align IT with the business by applying a portfolio
management discipline to IT projects, applications and infrastructure. It can
automate core business processes and promises to reduce costs, while increasing
the efficiency and quality of all IT work.
It can enable management to improve decision-making and proactive
performance management at all levels, by providing visibility into critical
performance indicators in real-time. It helps management gain control over IT
spending through accurate, comprehensive cost measurement, budgeting and
meaningful charge-backs, and helps to improve client satisfaction by gathering
feedback and collaborating with clients online. It also supports skill tracking;
demand and capacity planning; scheduling and time tracking. It helps to control
administrative overheads and to eliminate redundant, error-prone manual data
handling processes and improve the morale of both management and staff.
Big claims but in our opinion, after talking to Ayman Gabarin, VP of IT
Governance EMEA at Compuware, probably not unfounded.
3. BMC Atrium [Atrium, web]

A key part of the underlying ITIL model is the Configuration Management
Database (CMDB). Atrium from BMC Software is one of the few specialised
implementations of CMDB.
It is an intelligent data repository that BMC says provides a working model
of your enterprise IT infrastructure a single source of truth for your IT
environment. It promises to underpin the IT governance you need in order to
support your organisations business goals effectively.
CMDB is, in effect, an integration tool which federates the data from multiple
infrastructure monitoring and discovery tools into a cohesive logical whole
that can reside on multiple physical platforms throughout an IT organisation.
4. Mercury BTO [Mercury, web]

Part of IT governance is assurance of the continuing operational efficiency of
automated systems, especially after a regulatory or compliance initiative has
increased data volumes or increased administrative overheads Mercurys
Business Technology Optimisation (BTO) promises to be a valuable addition to
your toolkit.
60
Mercury promises specific assistance with, for example, the key sections of
Sabanes-Oxley: Section 302, which requires CEOs and CFOs to sign statements,
under penalty of perjury, verifying the completeness and accuracy of company
financial statements; Section 404, which requires CEOs, CFOs and outside auditors
to attest to the effectiveness of internal controls for financial reporting; and Section
409, which requires companies to report material financial events immediately,
in real-time, instead of waiting for quarter-end. Mercurys products include
comprehensive portfolio, program, and project management software and realtime dashboards that can be configured for CIOs, CFOs and CEOs to provide
early warning of any project missteps, avoiding end-of-quarter surprises. They
also provide end-to-end process control over software changes including
enhancements, customisations, configuration, vendor patches and bug fixes;
logging of all changes across the development, test stage and production
landscapes; control over lifecycle processes and real-time project status.
5. The Jazz Platform initiative

Although this is an IBM initiative, made up from an architecture for lifecycle
tool integration, an open community and a product catalogue of tools supporting
the initiative, and is unlikely to become Open Source, it is likely to impact the
use of automated tools to support IT Governance very widely (much as Eclipse
affected commodity systems development tools). For instance, whereas there
used to be a market in point solution mainframe performance management
and user experience tools, they are now expected to be part of an integrated
end-to-end (cross platform) experience monitoring and business outcome
assurance solution and Jazz will be the glue that holds this together. As IBM
itself puts it [IBMJAZZ, web]: The Jazz platform enables collaboration among
business stakeholders, subject matter experts, and anyone who plays a role in
the successful delivery of software not just software professionals. This
represents a transformational leap in the value of software delivery teams because
they can now make software a focal point for driving innovation across the
enterprise. The key to the potential importance of Jazz is that it enables
collaboration across traditional silos and should help bring governance of IT
into the business world; one of the first tools on the Jazz platform to enable this
in practice is Rational Asset Manager [IBMRAM. web] which lets you catalogue,
organise, use, reuse, manage and report on business, technology or software
assets across the enterprise, not simply within the IT group, and allows you to
understand the relationships between them and the business value they deliver.
Jazz is being developed through an innovative, collaborative, community
process at Jazz.net [IBMJAZZNet, web].
61
6. IBM Rational Doors-Synergy Integration [IBMDoors, web]

IBM Rational Synergy is a task-based change and configuration management
solution built upon a robust and scalable repository. It is closely integrated with,
but separate from, DOORS, which is a requirements management tool (which
itself supports the TAU systems engineering environment). IBM believes that
a federated tool approach is appropriate, because different audiences need
different tool philosophies and interfaces a reasonable approach, as long as
it is done well.
Change and configuration management is central to the ITIL best practices for
infrastructure management. The IBM Rational product set, incorporating the
Telelogic products acquired by IBM, complements the core ITIL processes
including problem, incident, change, release and configuration management.
Moreover, IBM Rationals professional services organisation methods are built
on industry best practices to ensure ITIL success.
For instance, IBM Rational would claim that SYNERGY/Change is the ideal tool
to define, refine and deploy an Incident Management Process, as its process
definition can include lifecycles (workflows), states and transitions, attributes
and formulas, rules and access security.
7. Novell MyCMDB [NovellMyCMDB, web]

MyCMDB was acquired with Novells Managed Objects acquisition and
addresses one aspect of a general governance problem the issue of governance
automation losing touch with reality because its underlying data becomes out
of date and, thus, untrusted. MyCMDB uses community social networking
principles to produce and maintain a CMDB (Configuration Management
Database) which belongs to and (most important) can be used by the general
community.
This illustrates a general principle (and the use of social networking techniques
could be extended to other governance-oriented tools); IT governance relies on
general buy-in and acceptance, which can be promoted by actively making it
useful to the business. How many PCs you have is a governance issue; if, say,
the CEOs secretary is asked to find this out, if he/she goes to a business-friendly
CMDB interface to find the information, the business is more likely to accept
the need for governance tools like the CMDB.
62
8. Pervasive AuditMaster [AuditMaster, web]

This goes beyond the usual data access controls to audit authorised users of
your data resources a vital aspect of protecting, for example, your financial
records for Sabanes-Oxley. It is a database add-on with transaction intelligence
and proactive monitoring capabilities but, unfortunately, it only supports the
Pervasive SQL embedded databases currently.
9. Novell BSM [NovellBSM, web]

The Novell BSM Platform can be used to measure, improve and enforce the
performance and availability of all kinds of services, from online trading and
customer relationship management, say to something as basic as corporate email. Novell would claim that its platform covers the full spectrum of Business
Service Management and that you can use it to align IT to the business
incrementally, attacking the key issues first. As most people will agree that the
key issues are, in fact, important, this helps you gain acceptance for your IT
governance initiative.
The strength of this platform, originally acquired from Managed Objects, lies
in its Business Service Object Model, effectively a schema that should allow for
the storage of an objects state (where an object may be anything from a whole
service to an individual server), together with the root cause of that state and
its business impact. It appears that views into this model can be customised for
different audiences always a useful feature.
In the next chapter we look at some of the issues associated with actually
implementing IT governance.
63
Chapter 5
Implementing IT governance
Obtain management sponsorship
IT governance methodology overview
Chapter 5
Implementing IT governance
Look at types of tools that are coming out to support IT
governance they only deal with risk in the development
environment. Whats the risk of a project going wrong?
They are not yet able to apply themselves to the operational
world, the world that transactions live in. To detect, to
measure success in any way.
SPEAKER AT MANAGED OBJECTS ROUNDTABLE ENTITLED: IT GOVERNANCE:
THE ROLE OF MEASUREMENT AND METRIC.
Implementing a formal IT Governance regime, assuming that you have only adhoc or informal governance processes at present, involves (despite what some
vendors may tell you) a lot more than just buying some software although once
you do have the required culture in place, tools can facilitate the initiative. A
first requirement is to align IT governance with corporate governance in general.
Think of this as high-level requirements gathering what are the business
governance issues that currently worry the Board and the company auditors,
and what questions would they like to ask or more importantly, are they afraid
to ask? Try to talk in terms of business issues, not technical solutions, of being
able to demonstrate that the physical implementation of a banks money
laundering policy, for example, is tested against the policies discussed by the
Board of Directors, not about implementing Model Driven Architecture and
Applications Lifecycle Management tools.
This discussion is only an input to your governance initiative. You cant assume
that the Boards concerns are the right concerns because informal risk analysis
is often driven by media hype and by our tendency to concentrate on the most
recent crisis we experienced. After the IRA bombings in London, people moved
data centres down into the basement where they were safe from bombs but far
more vulnerable to flooding, which is far more likely to affect a building in London
than a bomb. Nevertheless, youll get no credit for your IT governance initiative
if you cant sensibly address the one question the CEO wants to ask, when he
wants to ask it (even if the answer goes on to suggest that he/she may be asking
the wrong question).
66
5 IMPLEMENTING IT GOVERNANCE
Obtain management sponsorship

The first essential for IT governance is informed top management sponsorship.
If management sends mixed messages if it insists on good governance in practice
but pays performance bonuses to people who deliver systems faster by cutting
corners people at the sharp end of IT will soon realise that only lip service to
good governance is required. However, since in this situation they will also realise
that this makes them ideal scapegoat material if something does go wrong, morale,
productivity and systems quality will fall, as a direct result of your governance
efforts.
Management sponsorship should involve the evaluation and adoption (where
appropriate) of some or all of the initiatives mentioned in the previous chapter,
or their equivalents.
There are three practical metrics for management sponsorship of IT governance:
1.
The availability of a corporate IT governance plan, overseen by a

Governance Committee, with representation from IT professionals in
the IT Group and reporting at Board level. The names are immaterial,
the group could easily be called the IT Strategy Committee, say; what
is important is that IT governance issues can be raised at Board level
and that technically informed input to the discussion is available.
2.
An IT governance framework is implemented, typically with an

Internal Control department or some such group. What is important
is that governance can be policed proactively, not after the fact as
an Audit Group would. Governance must not be seen as a barrier to
implementation but as an assistive process, which ensures that IT
systems get it right first time and contain no hidden surprises that will
excite the regulators down the track.
3.
Provision of a formal budget for the IT governance initiative. Without

a budget, which Internal Control can book time against and that can
be used for any tools and training that may be required, you really
dont have a government initiative, no matter how much people talk
about governance.
67
IT governance methodology overview

You should take a process-based approach to governance, which is why process
initiatives like CMMI and ITIL can be an important underpinning to IT
governance. CMMI is about organisational maturity, the ability of an organisation
to implement a process in pursuit of an objective, measure its consequences and
improve the process to better deliver against changing business objectives; ITIL
is a collection of best practice processes for managing IT infrastructure. If third
parties (such as regulators) question your IT governance in detail, it can be useful
to point to your maturity/capability as an indicator that your process can be
effectively improved to address the questions raised.
You should take a systems approach to governance. Your internal process is in
a state of dynamic equilibrium. Changing external threats and regulations provide
external stimuli, resulting in feedback through the Internal Control function to
management and the technicians in the IT Group, which results in changes to
the internal process that satisfy the new regulations or mitigate the new threats.
Separation of function keeps the whole process honest:
The Internal Control Group reports to the Board via the Governance
Committee it is immune to local politics in the IT Group and in business
departments, and is focused on corporate strategy. Since it sets
requirements but isnt responsible for systems delivery, it isnt tempted
to interfere in technical matters that are properly the province of the
experts in the IT group.
The IT Group is presented with governance as, essentially, a systems

requirement. It isnt tempted to compromise governance in the
interests of speedy or cheap delivery, because governance is part of
what it is delivering. At the same time, it is free to determine the most
effective technical solution to the business governance requirements
raised by the Internal Control function, without having possibly
inappropriate technical controls bolted on to completed systems, that
can easily introduce technical defects.
The Auditors report independently and confirm that the processes are
working by comparing practice against the agreed framework
everyone should be working to. If it is all working properly, the Auditors
should not find problems after the fact when they are expensive to
address because any problems should have been addressed proactively
during systems development/maintenance. However, if the process
is starting to fail, the Auditors should be able to proactively alert
management to the issue.
68
As with any other IT project, IT governance needs clear objectives and a budget
allocation; and a plan showing how these objectives will be achieved and how
the budget will be allocated. Implementation should be in stages, frequently delivering defined governance benefits, rather than a big bang implementation
delivering perfect governance in one go years in the future if the company
remains focused on the project that long. The stages in implementing an IT governance initiative from scratch would be, broadly (and in no particular order) as
follows:
1. Obtain buy-in on the ground

The impetus to good governance may be clear at Board level but the troops can
be surprisingly cynical about such initiatives. Too many of us have heard managers
talk about the best of practices and seen them reward cowboys for rapid delivery
of systems which are full of problems for less charismatic workers to clear up,
for little reward or thanks.
Training is probably key to an organisation demonstrating to its staff that it is
serious about governance training in new tools, training in performance
management, so as to ensure that the possible overheads of governance dont
impact on operational performance. In addition to training, experienced (perhaps
external) mentors who have a wide experience of IT generally and recognise,
and know how to address, the more subtle governance issues, can be helpful.
A governance forum, in which workers at the sharp end can discuss governance
issues and suggest solutions in public (far more useful than mutterings around
the water cooler about some technically infeasible governance edict), is a good
idea. However, you must make sure that you document the action points from
such a forum and show the community that the issues it identifies are at least
given proper consideration (this is process management through feedback). It
is also important that such a forum represents both the business and IT points
of view, with fully informed and empowered attendees. If it becomes a costfocused drag on innovation (e.g.: our job is to find out where the IT department
wants to spend money and stop it) such a forum can be counterproductive.
2. Map IT to the business

Generally, there is a many to many relationship between business functions and
the IT infrastructure. A particular server, a computer storing both business data
and automated data processing systems, may support many business functions,
for example; conversely, a single business function may invoke many servers.
69
The best way to do this is with diagrams, but the relationships involved are too
complex for this to be done manually. In addition, there is a strong risk that such
maps will become out-of-step with reality. Business process analysis/management
tools can provide a useful bridge between the world of IT and the world of business,
although there isnt a lot of evidence that theyre being used for this yet.
The best way to maintain such mappings is therefore with automated tools that
can generate the framework (at least) for automated systems from models relating
business processes to IT systems. Look for suites of systems development tools
(not necessarily from the same vendor) that support the entire development
lifecycle from business process modeling and requirements management, through
to coding and testing.
3. Implement policy-based security and identity management

There is a lot more to IT governance than security, but security is part of it. Good
security requires risk and threat analysis, to determine and prioritise the risks
facing the organisation; and then formulation of a Security Policy, which
documents policies designed to mitigate, transfer (through insurance, say) or
accept (in conjunction with contingency plans) the various identified risks. Then
you can begin to design procedures that will implement the policies. Ideally, the
policies will be fairly generic, so that when changing technology or business
renders a procedure obsolete, the intent of the policy is clear and can direct the
formulation of a new procedure.
Good security is role based, as this aids maintenance. People in an organisation
have basic, restricted access as employees; then as they are given roles in the
organisation, each role brings with it appropriate access permissions. If people
move roles within the organisation, they lose permissions associated with one
role and gain those associated with another.
Identity management is related to security. It is all about identifying people
unambiguously and managing the attribution of identity to people seeking access
to your organisation. It includes providing the facilities to enable the unambiguous
attribution of actions to identities, essential for audit trails and security. A large
part of IT governance comes from people taking responsibility for their actions.
Without identity management, your governance is built on sand.
In common with the general tenor of this report, a standards-based approach
to security is recommended, although you may not need to formally certify against
the standards. ISO/IEC 17799:2000 [StandDir, web] is becoming accepted
worldwide as the code of practice for information security management, although
70
you cant really certify against this, as it isnt a specification you can assess against.
You also need BS7799-2:2002, the corresponding specification (which you can
certify against); and both are available as a package, with some extra material,
as the ISO 17799 Toolkit. ISO 17799 et al provides an excellent framework for
implementing security and ensures that you take a holistic approach, starting
with risk management (although it isnt strong on the details of this) and covering
often-neglected areas such as business continuity. However, some form of
mentoring from an external security consultant is recommended too it is difficult
to make an unbiased assessment of risk and the threats facing you, from inside
an organisation.
Tools to support IT risk assessment, implement ISO 17799 etc. are available. Some
of these can be very useful but beware of concentrating only on those areas your
tools cover and neglecting business risk assessment as a whole: there is little
point in mitigating the IT risk affecting a system if the business risk is
uncontrolled; and almost any IT security measures can be rendered ineffective
if unhappy or unjustly-treated staff can be compromised, or if physical access
to the premises and IT infrastructure isnt effectively controlled. In the case of
risk assessment tools, in particular, investigate the provenance and localisation
of the threat database that underlies their risk assessment facilities. A database
relating to US threats, say, may not be wholly appropriate in the UK, and a
database that is some years old may miss emerging threats (ideally, you should
be able to add threats from your own history to the database).
4. Implement BSM across all platforms

Business Service Management (BSM see Chapter 4) means that you manage
your IT infrastructure in terms of the business services it implements. Managed
Objects (now part of Novell) claimed to have invented the term [ManObj, web]
but it is also associated with HP and BMC Software these days; and BMCs
Atrium CMDB, which addresses the IT Infrastructure Library (ITIL) requirement
for a single, enterprise database to ensure data consistency and support
integration across differing service management processes may be a significant
enabler for BSM.
Business Service Management is commonly taken to include Service Level
Management, Incident and Problem Management, Infrastructure and Application
Management (including Licence Management), Service Impact and Event
Management, Asset Management and Discovery, Change and Configuration
Management, Capacity Management and Provisioning, and Identity Management.
Some of these have been split out for special emphasis in the present chapter.
71
By its very nature, BSM must be cross-platform. Business users will not be happy
if business-friendly service level reporting and management stops abruptly when
their data strays onto the mainframe, for example. This is a serious governance
issue as discontinuities in the vocabulary and culture of service level management
and security facilitate breakdowns in IT governance at that point.
5. Implement infrastructure management

Having a fully managed infrastructure based on an up-to-date and maintained
asset register is an essential part of IT governance. Even something as simple
as IT asset management is a vital part of IT governance. If you dont know exactly
what hardware you have and exactly what software is running on it, how can
you claim any sort of IT governance? Software piracy is one area where
organisations seem to be assumed guilty unless they can prove innocence, and
the consequences of a visit by the piracy police (disruption, confiscation, fines)
can be immense. Yet how effective can a plea that were sure all our software
is licensed although we dont know what software we have and where it is
running be?
ITIL is a good basis for infrastructure management, although it is probably
sufficient rather than necessary. As well as asset management, capacity
management and service level management, the Service Desk function and defect
tracking are typically part of an IT governance framework.
6. Implement configuration management

Configuration management involves the identification of the components of an
automated system that contribute to the service it delivers and the management
of changes to this configuration (including audit trails and facilities for backing
out of unsuccessful changes). Software change control (keeping track of
changes to software code as requirements change or defects are addressed) is
only part of configuration management.
Defect and problem tracking and service desk support are closely related to
configuration management.
7. Implement business continuity management

The availability of IT systems is now critical to the operation of many businesses.
This makes Business Continuity Management (BCM) a vital part of IT governance
(its also required by the ISO 17799 security standard). In fact, it should be built
72
in from the start by designing critical systems to be resilient. BCM is non-trivial

to do well and external consultancy may be attractive. It must be firmly based
on an objective assessment of risks (itself difficult unless you are an experienced
risk assessor), including risks the organisation hasnt encountered yet, and deal
with the spectrum of contingency from minor service interruptions to a fullblown disaster that eliminates a data centre in its entirety.
It is important to ensure that IT governance is maintained sensibly (at a managed
level) during a contingency, as otherwise a contingency could be engineered
as an opportunity to steal data, compromise business transactions or financial
reports, or sabotage systems. A whole systems approach to business continuity
should be adopted. The non-availability of phones or a serious health and safety
issue can take out a business service just as effectively as a fire-damaged computer.
8. Implement information lifecycle management

Electronic information can be as important and legally significant as paper
documents such as contracts formal and (potentially forged) instruments. The
courts will probably treat any email as an electronically signed document,
according to Stephen Mason, Barrister, speaking at SUNLive05 [SUNLive05, web]
in London. The regulations and laws affecting business information (see
Chapter 2) say that information must be available to answer auditors questions
in a timely manner, and its provenance must be capable of proof; but, as well
as this, some personal information must be destroyed securely when you no
longer need it. This means that you need a policy-based information lifecycle
management system (similar in purpose to document management systems in
the real world). This must be able to classify information, store it cost-effectively
and securely (possibly with backup copies kept offsite), document its creation,
amendment and destruction, and securely audit the critical events in the lifecycle.
9. Implement a systems development/acquisition process

If you build software, you must have a lifecycle development process (see Chapter
4) from business requirements analysis through to coding, testing and
implementing systems (in fact, testing should start with validation of the
requirements). This is best implemented by training and mentoring, using tools
to facilitate desired practice. Simply mandating a development process does not
work well.
73
If you dont build software, you need a similar process for implanting packages.
You still need to analyze business requirements, in order to choose a package
which best fits your business process and in order to assess the impact of the
business process embodied in the package on your existing business process.
And, you still need to test package applications, in case they dont do what they
say they will, or you implement them incorrectly. If you customise a package,
this is really a small systems development project and similar QA measures are
necessary.
10. Optimise processing

If you dont have a great deal of IT governance, introducing full-blown
governance and compliance measures can impact processing overheads and,
therefore, the business (after implementing HIPAA in the States, data volumes
often increase by an order of magnitude or more). It is therefore vital to include
what Mercury Interactive calls business technology optimisation [Mercury, web]
in your governance program. Put crudely, satisfying the requirements of HIPAA
or Sarbanes-Oxley (or local equivalents) can increase, say, database accesses
by several orders of magnitude and, doubtless, many database infrastructures
wont be designed to cope with this. Unless you reassess and, possibly,
optimise performance, the immediate result of introducing IT governance may
be to impact business performance and, thus, the reputation of IT (and also badly
impact your career).
11. Implement problem management

Business Continuity is often thought of as disaster recovery, something
standalone that you bring in after a disaster, such as the loss of a data centre
in a fire. This is obviously an aspect of IT governance, if the business depends
on applications running in that data centre, but this is too limited a view (see
Business Continuity Management, BCM, above). Business continuity is also a
function of IT problem management.
The business needs to be isolated from IT problems: at one end, a significant
part of the IT infrastructure is lost and we talk of disaster recovery and BCM;
at the other end, a bug is encountered that affects the business or a small part
of the IT infrastructure (a single phone line perhaps) drops out and we talk about
problem or incident management and defect tracking. In the interests of good
IT governance, you should probably see this as a continuum: the impact of IT
issues on the business should be limited, well controlled and managed.
74
This is usually associated with a service desk function, which should aim for
pre-emptive identification and mitigation of emerging issues, ideally before they
have any impact on a business service. There are many sophisticated service
desk packages: BMC Remedy [Remedy, web], for example, or FrontRanges HEAT
[HEAT, web].
12. Demonstrate ROI

At least one of the objectives behind any IT governance initiative is likely to be
to better run IT for the organisations benefit. So, it is very good practice to
instrument IT Governance systems and report business information so that IT
governance, and the ROI (Return on Investment) from the governance project,
can be demonstrated on a continuing basis.
Choose your metrics carefully people tend to deliver what you measure, so if
you choose the wrong measures you may get the wrong results. Early attempts
to measure the quality of support staff, for instance, in terms of the number of
calls completed in a period resulted in a plethora of quick fixes and recurring
problems because continual short-term fixes to the same problem made the
metrics look better. It might have been better to measure problems fixed without
recurrences and customer satisfaction rather than calls processed. After all,
provided it is accessible and servicing the calls it gets, the fewer calls a service
desk has to process, the more successful it is!
Look beyond a purely financial ROI. Good IT governance reduces risk, so it
increases business confidence and allows you to play in areas your competitors
find too risky. It involves efficient provisioning, so new staff get up-to-speed faster,
and promotes a supportive IT environment, with fewer surprises, so staff morale
generally should improve. A balanced scorecard [BalScore, web] approach to
measuring the impact of IT governance is probably appropriate. It is always
important to remember that IT governance is only a means to an end. Better
IT governance is not really a useful objective; it is better to have increasing the
bang per buck spent on IT as an objective (measured in business terms), or
widening your customer base in areas where good governance forms part of
the acceptance criteria, or even reducing the cost of regulatory compliance and
controlling the risk of legal action. Nevertheless, be realistic. If your improved
IT governance allows you to win a lucrative contract in the health industry, you
cant accrue the entire profit to your IT governance effort it may be an enabler,
and this is a real non-financial ROI, but the final profit is mostly down to the
software or services you supply against the contract. Similarly, if your improved
75
governance makes you more efficient, you cant claim the man-hours saved as
a benefit until you actually reduce headcount or redeploy people onto productive
work.
13. Reviews
Reviews of IT systems after changes have bedded in, in order to enable a gap
analysis of the differences between aspiration and reality, followed by the
scheduling of maintenance efforts aimed at reducing any gaps, is an important
characteristic of good IT governance. Sometimes, as with CMMI initiatives (see
Chapter 2), these reviews are part of a formal process but, regardless of how
you approach IT governance, there must be some sort of review and feedback
process. Change seems to be part of the nature of IT, so a static governance
system, however effective, is unlikely to stay effective for long.
In the next chapter we summarise the findings of the Report.
76
Chapter 6
Conclusions
Chapter 6
Conclusions
Companies with better than average IT governance earn at
least a 20 percent higher return on assets than organisations
with weaker governance.
JEANNE ROSS AND PETER WEILL IN THE JUN. 15, 2004 ISSUE OF CIO MAGAZINE.
If it were done when tis done, then twere well it were

done quickly.
SHAKESPEARE, MACBETH.
So, what is IT governance? It is an extension of corporate governance generally,

which ensures that automated systems contribute effectively to the business goals
of an organisation, that IT-related risk is adequately identified and managed
(mitigated, transferred or accepted), and that automated information systems
(including financial reporting and audit systems) provide a true picture of the
operation of the business. Changes in legislation mean that IT governance is, or
will be shortly, a pressing concern in many companies dependent on IT.
In Chapter 1, we looked at the context of IT governance in corporate governance. IT governance is important because various accounting and other scandals
(Worldcom, Enron, failed government contracts and so on) have led the powers
that be to suspect that financial systems are creeping out of control. They are
realising that most financial controls are based on IT and that this apparent loss
of control could impact commercial confidence generally. Stephen Haddrill,
Director General, Fair Markets, summed the situation up well in his Foreword
to Proposal by the European Commission for a Directive on Statutory Audit of
Annual and Consolidated Accounts, September 2004 (The Department of Trade
and Industry (DTI) consultation period on this ended 30 November 2004 [8thDir,
web] the DTI was replaced by the Department for Business, Enterprise and
Regulatory Reform and the Department for Innovation, Universities and Skills
on 28 June 2007):
We believe the market is the best regulator of corporate activity. For the
market to operate efficiently, however, we need a robust legal framework
78
6 CONCLUSIONS
that ensures that investors have full and accurate information on which to
base their decisions.
Following the collapse of WorldCom and Enron in the US, and miscellaneous
corporate scandals elsewhere, the Department of Trade and Industry (DTI)
reviewed all aspects of financial and audit reporting. We concluded that our
approach was fundamentally sound, but that the system could be strengthened
in a number of ways. In particular, we expanded the role of the Financial
Reporting Council to provide independent oversight of the audit profession.
The European Commission has looked at these issues in parallel. One result
of their work is a proposal for a new 8th Company Law Directive on statutory
auditing which updates the original 1984 Directive, and follows many of
the UKs initiatives.
This activity means that stakeholders in IT governance, even if they are indirect
stakeholders, are starting to ask questions that concern IT governance. An investor
in a company wants to be sure that the financial reports s/he relies on havent
been tampered with so as to misrepresent the true position of the company
and also wants to be confident that they wont contain errors that are the result
of program bugs or logic errors.
In Chapter 2, we reviewed the external pressures for IT governance, from the
legal and regulatory systems in which companies using IT must operate. The
legal systems in most countries are increasingly making company directors
responsible for corporate governance and therefore IT governance.
In Chapter 3, we analysed the organisational impact of corporate governance
and the building of a more mature, measurement-focused organisation. The
Capability Maturity Model Integration (CMMI) from the Software Engineering
Institute at Carnegie Mellon University was described, which can be taken as
a framework for talking about Capability and Maturity, even if you dont assess
formally.
In Chapter 4, we looked at the impact on the IT group specifically and at initiatives
like DSDM (the Dynamic Systems Development Method) and ITIL (the IT
Infrastructure Library).
In Chapter 5, we overviewed the implementation of IT governance. Key to this
is, as always, getting buy-in at all levels and removing barriers to implementation
with training.
79
Our overall conclusion must be that good IT governance, in a form that can be
demonstrated to the stakeholders in an organisation and interested third parties,
if appropriate, is now an explicit requirement for any IT group. A piecemeal
approach is likely to be expensive, as it will have to be repeated every time
something changes the legal framework around corporate governance these
days makes cosmetic compliance a high-risk strategy.
So, the fundamental requisite for good IT governance is a mature and capable
organisation one that says what it is going to do, does it, measures the
consequences and applies feedback in order to bring reality closer to the original
aspiration.
Such an organisation will find a process-based approach to be more effective
and, in the long term, cheaper to maintain. It will adopt standards-based
frameworks such as ITIL for infrastructure management and DSDM Atern for
systems development, both to avoid reinventing the wheel and also to ensure
that inappropriate assumptions dont result in aspects of governance being
overlooked. Then, once it knows what it wants to do, it will use tools to automate
its processes as far as is appropriate. Computer-aided people are more costeffective and efficient than people alone, more flexible than automation alone,
and governance rules embodied in software or as parameters applied to software
are easier (and cheaper) to audit and enforce.
80
Appendix
Resources
Appendix
Resources
[8thDirCons, web] http://webarchive.nationalarchives.gov.uk/tna/
[ALM, web] the Borland/Micro Focus solution for Application

Lifecycle Management (ALM), http://www.borland.com/alm/ see
also http://www.microfocus.com/products/
[APB, web] Bulletin 2006/5 The Combined Code on corporate

governance: Requirements of auditors under the Listing Rules of
the Financial Services Authority and 2009/4 Developments in
Corporate Governance Affecting the Responsibilities of Auditors of
UK Companies http://www.frc.org.uk/
[Atern, web] DSDM Atern http://www.dsdm.org/atern/
[Atrium, web] http://www.bmc.com/products/brand/bmc-atrium0726.html
[AuditMaster, web] Pervasives AuditMaster tool,

http://www.pervasive.com/
[BalScore, web] The Balanced Scorecard Institute,

http://www.balancedscorecard.org/
[BCSCode, web] The BCS Code of Practice

http://www.bcs.org/server.php?show=nav.6029
[Beck, 1999] Kent Beck, Extreme Programming Explained:

Embracing Change, 1999, Addison Wesley, ISBN: 0201616416
[BIS, web] Bank for International Settlements, Enhancing

corporate governance for banking organisations (September 1999)
http://www.bis.org/publ/bcbsc138.pdf
[BloorAnalytics, web] http://www.bloorresearch.com/blog/thenorfolk-punt/2010/8/its-not-just-analytics____.html
82
APPENDIX
[BloorEA, web] Enterprise Architecture

http://www.bloorresearch.com/research/spotlight/1040/the-rise-ofenterprise-architectures.html
[BoardBrief, web] Board Briefing on IT Governance, 2nd Edition

IT Governance Institute, 3701 Algonquin Road, Suite 1010, Rolling
Meadows, IL 60008 USA, Phone: +1.847.590.7491,
Fax: +1.847.253.1443, E-mail: info@itgi.org, Web sites: www.itgi.org
and www.isaca.org
[BSA, web] The Business Software Alliance, http://www.bsa.org/
[BSM, Web] http://www.bmc.com/solutions/bsm
[CC, web] The Combined Code on corporate governance, July

2003 http://www.fsa.gov.uk/pubs/ukla/lr_comcode2003.pdf
[Changepoint, web] Compuware Changepoint,

http://www.compuware.com/solutions/it-portfolio-management.asp
and Compuware IT Governance http://www.compuware.com/
services/professional-services-it-governance.asp
[CMMI, web] Capability Maturity Model Integration,

http://www.sei.cmu.edu/cmmi. This model is based on assessment
against 5 maturity levels: 5 Continuous process improvement
through proactive process measurement; 4 Quantitative process
metrics, at the organisational level, used to manage and improve the
process; 3 Managed process at an organisational level; 2
Managed process, at a project level; 1 Adhoc application of process
[COBIT, web] COBIT: http://www.isaca.org/Knowledge-Center/

COBIT/Pages/Overview.aspx
[CombinedCode, web] Combined Code on Corporate Governance

http://www.frc.org.uk/CORPORATE/COMBINEDCODE.CFM
[CompaniesAudit, web] Companies (Audit, Investigations and

Community Enterprise) Act 2004, http://www.legislation.gov.uk/
ukpga/2004/27/contents and http://www.companieshouse.gov.uk/
companiesAct/companiesAct.shtml
[Constantine, 1995] Larry Constantine, Constantine on

Peopleware, Yourdon Press, 1995, ISBN 0-13-331976-8
[CopyRightAct, web] UK Copyright, Designs and Patents Act

http://www.legislation.gov.uk/ukpga/1988/48/contents
83
[COSO, web] http://www.coso.org/
[Disability, web] Disability Discrimination Act 1995

http://www.legislation.gov.uk/ukpga/1995/50/contents; also Special
Educational Needs and Disability Act 2001
http://www.legislation.gov.uk/ukpga/2001/10/contents,
[DPA, web] Data Protection Act 1998, http://www.ico.gov.uk/

for_organisations/data_protection.aspx and
[DSDM, web] Dynamic Systems Development Method,

http://www.dsdm.org/
[ESB, 2004] David A Chappell, Enterprise Service Bus, 2004,

OReilly, ISBN 0-596-00675-6
[EUAuditDir, Web] Scoreboard on the transposition of the

Statutory Audit Directive (2006/43/EC) http://ec.europa.eu/
internal_market/auditing/docs/dir/01_02_10_scoreboard_en.pdf
[FAST, web] the Federation Against Software Theft,

http://www.fast.org.uk/
[Faegre, web] Michael Fleming, Sarbanes-Oxley and IT: Beware

of Magic Bullet Solutions Trends (Faegre & Benson) (2003),
appears to be no longer available on the Web
[FI, web] Freedom of Information Act 2000,

http://www.ico.gov.uk/for_organisations/freedom_of_information.a
spx and http://www.legislation.gov.uk/ukpga/2000/36/contents
[FT, Web] http://www.ft.com/cms/s/0/2d61f5ae-b9c3-11df-968f00144feabdc0.html (requires registration)
[HAS, web] Statutory Instrument 1999 No. 3242 The Management

of Health and Safety at Work Regulations 1999,
http://www.legislation.gov.uk/uksi/1999/3242/contents/made
[HEAT, web] HEAT Help Desk from FrontRange Solutions

http://www.frontrange.com/software/help-desk/ (see also its full
range of IT service management solutions at
http://www.frontrange.com/ProductsSolutions/Category.aspx?id=
22&ccid=41)
[HIPAA, web] Health Insurance Portability and Accountability

Act, https://www.cms.gov/hipaageninfo/
84
APPENDIX
[HPMercury, web] Business Technology Optimisation (BTO)

solutions, https://www.hp.com
[IBMDoors, web] IBM Rational Doors, http://www01.ibm.com/software/awdtools/doors/ and IBM Rational SYNERGY
http://www-01.ibm.com/software/awdtools/synergy/
[IBMJAZZ, web] Jazz environment http://www01.ibm.com/software/rational/jazz/
[IBMJAZZNET, web] Jazz community http://jazz.net/
[IBMRAM, web] Rational Asset Manager http://jazz.net/

projects/rational-asset-manager/
[IOD, 2004] Institute of Directors and SAS, corporate

governance, 2004, Director Publications, ISBN 1 9045 2025 3
[ICEAW, Web] [see http://www.icaew.com/index.cfm/route/

144792/icaew_ga/en/Technical_and_Business_Topics/Topics/Audit_
and_assurance/Text_and_updates_on_Statutory_Audit_revised_8th_
Company_Law_Directive]
[ISO27000, web] a consortium of security consultants at

http://www.27000.org/ and the ISO site at http://www.iso.org/
[ISO38500, web] ISO/IEC 38500:2008 http://www.iso.org/iso/

catalogue_detail?csnumber=51639]
[ISO38500PR, web] ISO 38500 Press Release

http://www.iso.org/iso/pressrelease.htm?refid=Ref1135
[ITGI, web] the IT Governance Institute http://www.itgi.org/
[ITIL, web] Originally IT Infrastructure Library, now simply ITIL

http://www.itil-officialsite.com/home/home.asp
[ITIL FAQ, Web] http://www.itil-officialsite.com/faq.asp
[ITILLive, web] http://www.bestpracticelive.com/
[ITPP, 2010] IT Policies and Procedures, Section 9, Legislative

Compliance, published by Croner (Wolters Kluwer (UK) Limited)
(http://www.croner.co.uk/croner/productDetails/category/Sectorswe-serve/General-Office-Management/product/GEE-IT-Policiesand-Procedures)
[itSMF, Web] IT Service Management Forum,

http://www.itsmf.com/
85
[Kaplan and Norton, 1992] Robert Kaplan and David Norton, The
Balanced Scorecard Measures that Drive Performance, Harvard
Business Review, 1992
[Kaplan and Norton, 1996] Robert Kaplan and David Norton, The
Balanced Scorecard: Translating Strategy into Action, Harvard
Business School Press, 1996, ISBN 0-87584-651-3
[LacyNorfolk, 2010] Configuration Management Expert Guidance

for IT Service Managers and Practitioners by Shirley Lacy, David
Norfolk (ISBN: 9781906124588)
http://www.bcs.org/server.php?show=nav.13336
[ManObj, web] Managed Objects, now part of Novell

http://www.novell.com/solutions/business-service-management/
[Netegrity, 2005] Netegrity has now been acquired by CA; the

Netegrity IT Security/Compliance Survey, 2005 is unfortunately is
not available on the web (http://www.netegrity.com)
[NovellBSM, web] Novell Business Service Manager

http://www.novell.com/solutions/business-service-management
[NovellMyCMDB, web] Novell MyCMDB a social networking

application http://www.novell.com/media/content/novell-mycmdboverview.html
[OECD, web] The review process for the OECD Principles of

corporate governance http://www.oecd.org/document/
26/0,3343,en_2649_34813_23898906_1_1_1_1,00.html
OGC [OGC, web] OGC http://www.ogc.gov.uk/]
[OpenView, Web] http://www.managementsoftware.hp.com

/solutions/bsm/
[PCNetAdv, web] David Norfolk, Understanding DSDM,

http://csis.pace.edu/~marchese/CS616/Agile/DSDM/D1121.pdf
[PlanISM, 2002] Planning to Implement Service Management,

2002, ISBN 0113308779 (CD ISBN: 0113309058)
[ProcDir, web] Atego Process Director http://www.atego.com/

products/atego-process-director/
[Reiss. 1995] Geoff Reiss, Project Management Demystified, 2nd

ed, 1995, E and FN Spon, ISBN 0 419 20750 3
86
APPENDIX
[Reiss. 1996] Geoff Reiss, Programme Management Demystified,

1st ed., 1996, E and FN Spon, ISBN 0 419 21350 3
[Remedy, web] BMC Software Remedy Service Management,

http://www.remedy.com/ and http://www.bmc.com/products/
product-listing/53035210-143801-2527.html
[RIPA, web] Regulation of Investigatory Powers Act (RIPA),

[SEC-SOX, web] SEC compliance dates for Section 404 of

Sarbanes-Oxley (http://www.sec.gov/rules/final/33-8238.htm)
[SOX, web] Sarbanes-Oxley Act, http://www.gpo.gov/

Wikipedia provides a fairly useful overview,
http://en.wikipedia.org/wiki/sarbanes-oxley_act
[StandDir, web] Standards Direct is a source for copies of the ISO

27000 security standards (renumbering ISO 17799), and a useful
source of other BSI standards, http://www.standardsdirect.org/
iso17799.htm
[Standish, web] http://www.standishgroup.com/sample_research/

chaos_1994_1.php (requires registration)
[STR-DPA, web] the uks anti-money laundering legislation and

the Data Protection Act 1998, guidance notes for the financial
sector April 2002, http://www.hm-treasury.gov.uk/
[SUNLive05, web] SUNLive05 conference, March 22nd 2005; SUN

Microsystems now belongs to Oracle and this conference no longer
appears to be on the Web http://www.oracle.com/us/sun/index.htm
[Thoughtworks, web] http://www.thoughtworks.com
[TOGAF, web] TOGAF http://www.opengroup.org/togaf/
[Turnbull, web] ICAEW Guidance for Directors on the Combined

Code http://www.icaew.com/index.cfm/route/159066/icaew_ga/en
/Library/Links/Corporate_governance/Corporate_governance_code
s/UK_Corporate_Governance_Codes_and_Reports; and Turnbull
Guidance at http://www.frc.org.uk/corporate/internalcontrol.cfm
[WCAG, web] W3C Web Content Accessibility Guidelines,

http://www.w3.org/TR/WCAG10/
87
[WEEE, web] WEEE Recycling Directive,

http://www.environment-agency.gov.uk/business/topics/waste/
32084 .aspx and http://www.legislation.gov.uk/
[Zachman, web] Zachman franework http://www.zifa.com/

framework.html
88
Other specially commissioned

briefings from Thorogood
BUSINESS AND COMMERCIAL LAW
Commercial Contracts: Legal principles and drafting
Burnett, Rachel 145
ISBN: 978-185418702-4
This briefing takes into account relevant legislation and case law. For all points
of the law and critical distinctions, you will find crystal-clear explanations and
guidelines to a host of case studies illustrating the law and its application.
Commercial Litigation: Damages and other remedies

for breach of contract
Ribeiro, Robert 145
ISBN: 978-185418397-2
A great deal has changed in the last few years... a new emphasis on claims for
damages such as loss of business, opportunity, chance, use and data and recent
landmark cases have altered the ground-rules. Completely updated, this briefing
includes accounts of all the most recent important cases and highlights significant changes in the way that the courts now assess damages.
Corporate Governance
Martin, David 99
ISBN: 978-185418354-5
This briefing is a clear, accessible and jargon-free analysis of the practical application of Corporate Governance. With short case studies to illustrate legal requirements, the author guides the reader through all aspects of the Corporate
Governance programme, concentrating specifically on its use by organisations
who are not required to adopt it, such as listed PLCs.
Email: Legal issues 2008

Singleton, Susan 125
ISBN: 978-185418630-0
One of the biggest changes to office life in the last five years has been the growth
of e-mail. On balance a major advantage to businesses, enabling postage charges
and time to be saved, but e-mail also comes with certain legal risks.
This report seeks to highlight those areas where employers particularly need to
consider relevant risks. However in most cases the risks can be minimised to an
acceptable level and nothing with this report should put any employer off letting
their employees loose on e-mail. It highlights principal issues which arise and the
means to ensure enforcement, in particular, by presenting to employees a coherent e-mail and Internet use policy so they know where they stand.
For full details of any title, and to view sample extracts, please visit:
www.thorogoodpublishing.co.uk
Freedom of Information Act in Practice 2008

ISBN: 978-185418632-4
Do you want to know how to use the Act to obtain information about your
own competitors?
Are you worried about making your contracts fully confidential?
These and many other issues are expertly dealt with in this valuable new report.
This report shows how businesses can ensure that they dont disclose information inadvertently and how to protect their own information by drafting new
contracts in the right way. Susan Singleton has advised many clients in all sectors on the FOIA from a practical standpoint.
International Commercial Agreements

Attree, Rebecca 99
ISBN: 978-185418286-9
This report appears at an exciting time for international commercial lawyers:

new legislation, fresh opportunities and the challenge of understanding fully
how to exploit them.
Recent changes to EC Competition Law have made a significant impact upon
parties freedom to contract commercially, generally giving them greater flexibility. In the field of e-commerce, the EC has issued a welter of laws that are in
the course of being implemented into national laws.
The report explains the principles and techniques of successful international negotiation and provides a valuable insight into the commercial points to be
considered as a result of the laws relating to:
pre-contract
private international law
resolving disputes (including alternative methods, such as mediation)
competition law
drafting common clauses
and contracting electronically

Bond, Robert 145
ISBN: 978-185418692-8
A thorough explanation of the law combined with expert guidance on negotiating and drafting the best contract for your client.
A clear explanation of the law relating to computer contracts with particular
emphasis on software licenses
A wealth of advice, tips and techniques for successful contract negotiation
and drafting
Leading author: an expert with over 25 years experience in IP/IT law in a
wide range of sectors
Valuable sample contracts
Achieving Business Excellence, Quality and

Performance Improvement
Chapman, Colin & Hopper, Dennis 99
ISBN: 978-185418018-6
This valuable briefing identifies all the areas critical to developing an effective performance improvement process. It is a practical guide to the use of business excellence models and frameworks, quality standards, benchmarking tools, self-assessment programmes and the latest performance improvement initiatives.
The Commercial Exploitation of Intellectual Property Rights

by Licensing
DesForges, Charles 99
ISBN: 978-185418285-4
This report will show you whether as licensor or licensee how to identify and secure profitable opportunities, strategies and techniques for negotiating the best
agreement, and finally the techniques of successfully managing a license operation.
Intellectual Property Protection and Enforcement

Brazell, Lorna 99
ISBN: 978-185418054-4
Incorporating the latest developments in IP law, this briefing reviews each of

the principal forms of intellectual property right available in the United Kingdom, describing the nature of the right itself and explaining: How rights arise
or can be obtained, How rights can be exploited, What is necessary to protect
rights from erosion or loss, What actions will constitute infringement of a
right, under either civil (enforced by the owner) or criminal (enforced by public authorities) law, What remedies are available to the owner of the right, once
infringement has been proved.
Each chapter can be read on its own for convenient reference, and the introduction to each chapter also makes it clear where awareness of another section may
be useful.
Waste Management: The changing legislative climate

Hand, Caroline 69
ISBN: 978-185418367-5
This valuable briefing explains what all the new legislation, directives and regulations mean in practice and what you need to do to stay within the law. Recent far-reaching changes to the law and practice affect everyone commerce
and industry, central and local government and householders.
Websites and the Law

Singleton, Susan 99
ISBN: 978-185418331-6
Is your company/client website legal? Do you know what information you are
required by law to put on it? What can you do with peoples personal data sent
to your website? This briefing deals with all the practical legal issues which arise
with websites both those sites which sell goods or services and those which
advertise.
Need it now? Download a PDF of the report

at: www.thorogoodpublishing.co.uk
BUSINESS STRATEGY AND MANAGEMENT

A Practical Guide to Knowledge Management
Brelade, Sue & Harman, Chris 99
ISBN: 978-185418230-2
An expert but jargon-free guide to enable you to manage the knowledge in your
organisation successfully and to identify, gather and use that knowledge to maximum advantage.
Analyse your Business A performance health check

OConnor, Carol 99
ISBN: 978-185418170-1
This briefing offers the tools and techniques for company-wide analysis and is
essential reading for business leaders responsible for corporate performance.
Its purpose is to put minor issues into perspective and discourage the use of
quick fix solutions for bigger problems.
Tendering & Negotiating MoD Contracts

Boyce, Tim 99
ISBN: 978-185418276-0
This specially commissioned report aims to draw out the main principles,
processes and procedures involved in tendering and negotiating MoD contracts. As Tim Boyce writes in the Introduction, it is important to realise that the
SPI embraces a conceptual shift in the role of the MoD procurers.
What does this huge shift in thinking mean for contractors? How exactly has
the role of MoD purchasing changed? This briefing covers every aspect of competitive tendering, negotiation and contractual negotiations in this new era.
There can be few people who combine Tim Boyces experience and expertise
with a gift for explaining issues and procedures with such clarity.
Understanding SMART Procurement in the MOD

Boyce, Tim 99
ISBN: 978-185418164-0
The main thrust of this report is on issues to do with strategy, organisation and
processes. The single most encouraging and exciting feature of the SMART procurement initiative is that it embraces the need to change the culture. There is
a commitment within the high political echelon of the MoD to make this change
happen. Probably the greatest single challenge is to ensure that this commitment
is maintained through the inevitable changes of personality at the political and
senior management level.
IT Governance
Norfolk, David 99
ISBN: 978-185418745-1
This specially commissioned briefing sets out what the latest legislation says and
what it means, its impact on the organisation as a whole and on the IT group
specifically, and how to implement an effective IT governance initiative in your
company.
Practical Techniques for Effective Project Investment Appraisal

Tiffin, Ralph 99
ISBN: 978-185418099-5
How to ensure you have a reliable system in place. Spending money on projects automatically necessitates an effective appraisal system a way of deciding whether the correct decisions on investment have been made.
Project Risk Management: The commercial dimension

Boyce, Tim 95
ISBN: 978-185418257-9
This briefing will show you how to fully appreciate all the commercial dimensions
of important projects and understand how to identify all the risks during the precontract bidding phase.
Strategy Implementation Through Project Management

Grundy, Tony 99
ISBN: 978-185418250-0
The gap: Far too few managers know how to apply project management techniques to their strategic planning. The result is often strategy that is poorly
thought out and executed.
The answer: Strategic project management is a new and powerful process designed to manage complex projects by combining traditional business analysis with project management techniques.
Surviving a Corporate Crisis: 100 things you need to know

Batchelor, Paul 99
ISBN: 978-185418208-1
Seven out of ten organisations that experience a corporate crisis go out of

business within 18 months. This briefing not only covers remedial action after the event but offers expert advice on preparing every department and every
key player of the organisation so that, should a crisis occur, damage of every
kind is limited as far as possible.
Technical Aspects of Business Leases:

Overcoming the practical difficulties
Dowden, Malcolm 99
ISBN: 978-185418194-7
The purpose of this briefing is to highlight areas where technical issues might lead
to practical difficulties, and to give clear guidance to help those involved in property management avoid the pitfalls.
FINANCE
Tax Planning for Businesses and their Owners
Hughes, Peter 145
ISBN: 978-185418402-3
Written for business owners and managers, this special report offers expert advice on the tax implications of your business decisions guiding you in making the right business and personal choices for tax reduction.
Trade Secrets of Business Disposals

Pearson, Barrie 145
ISBN: 978-185418321-7
If youre like most people, youll only get one chance to sell your business and
to capitalise on years of hard work and planning. You can either fluff it, or make
sure you get the best possible advisor and become financially secure for life, and
possibly very rich. This briefing shows you how to make your business investorready for maximum capital return.
Trade Secrets of Business Acquisitions

Pearson, Barrie 145
ISBN: 978-185418366-8
In this invaluable new briefing one of the Citys most successful deal-makers distils 40 years experience as both principal and advisor. Losing a deal by adopting the wrong tactics is unforgiveable he writes, but it happens all too often.
This briefing offers both professional advisors and principals the opportunity
to transform their rate of success, clarifying hard truths and highlighting
avoidable mistakes. It is laced throughout with proven tactical advice to ensure
that both deals and post-acquisition management are carried out with maximum
success.
VAT Liability and the Implications of

Commercial Property Transactions
Buss, Tim 145
ISBN: 978-185418747-5
The option to tax is a major VAT planning tool but you have got to get the detail
right to take full advantage and getting it wrong can be very costly. This briefing
shows you how to plan for maximum advantage and avoid costly mistakes.
EMPLOYMENT LAW
Data Protection Law for Employers 2008
ISBN: 978-185418626-3
This briefing seeks to summarise the application of the Act to the employment
discipline. It concentrates on the areas, which are useful and practical to employers by examining the Information Commissioners Office code of practice.
It answers many of the mundane, day-to-day data protections issues that employers and those who are responsible for personal data need to know.
Discrimination Law and Employment Issues

Martin, David 145
ISBN: 978-185418678-2
The Age Discrimination Act is billed by lawyers as the most significant change
in employment law since the 1970s. In addition to sex and race discrimination
laws, in the last two years employers have also had to cope with sexual orientation discrimination and religious discrimination. David Martin, an expert on
employment law and practice, analyses the practical aspects of dealing with each
of the anti-discrimination laws. He demonstrates how to ensure that paperwork
and systems comply totally with the law, and he provides a range of helpful case
studies to illustrate the key issues and bring them to life.
Effective Recruitment: A practical guide to staying within the law

Leighton, Patricia & Proctor, Giles 145
ISBN: 978-185418683-6
The ways to undertake the task continue to grow, making the decision as to how
best to recruit for a given employment situation more complex. This specialist
text is responding to a number of imperatives, including legal ones. There have
been, and are, anticipated changes that make it essential that recruitment practitioners act both effectively and within the law.
Employee Sickness and Fitness for Work:

Successfully dealing with the legal system
Howard, Gillian 99
ISBN: 978-185418281-4
Many executives see employment law as an obstacle course or, even worse, an
opponent but it can contribute positively to keeping employees fit and productive. This briefing will show you how to get the best out of your employees, from
recruitment to retirement, while protecting yourself and your firm to the full.
Employment Law Aspects of Mergers and Acquisitions:

A practical guide
Ryley, Michael 99
ISBN: 978-185418363-7
This report will help you to understand the key practical and legal issues, achieve
consensus and involvement at all levels, understand and implement TUPE regulations and identify the documentation that needs to be drafted or reviewed within
the context of a merger, acquisition or disposal.
Navigating Health and Safety Law: Ensuring compliance

and minimising risk
Pope, Chris 99
ISBN: 978-185418353-8
If you have already been challenged by the insurer, inspector, or one of your workforce about the status of your health and safety this briefing will give you a workable answer to questions like Is my health and safety policy legally compliant? How
do I avoid being liable for an employees ill health arising from previous employment? Who should carry out safety inspections is it my responsibility?
Successfully Defending Employment Tribunal Cases

Hunt, Dennis 99
ISBN: 978-185418267-8
Sweeping changes to the way employment tribunal claims are dealt with have
increased the risk of higher costs and more expensive claims. This indispensable report covers all the changes and their implications for HR professionals.
The Thorogood Promise

If you are not totally satisfied and you return a publication in mint condition
within 14 days of receipt, we will refund the cost of the publication,
no questions asked.
HR, RECRUITMENT AND TRAINING

Applying the Employment Act 2002: Crucial developments for
employers and employees
Williams, Audrey 99
ISBN: 978-185418253-1
The Act represents a major shift in the commercial environment, with far-reaching changes for employers and employees. The consequences of getting it
wrong, for both employer and employee, will be considerable financial and
otherwise. The Act affects nearly every aspect of the workplace.
Dismissal and Grievance Procedures

Hunt, Dennis 99
ISBN: 978-185418376-7
This briefing explains what all the regulations say and what steps you need to
take to operate effective dismissal, disciplinary and grievance procedures. It covers all the requirements of the Disputes Resolution Procedures that came into
effect in October 2004. It tells you where and when the regulations apply and
what you need to do.
Enabling Beyond Empowerment

Williams, Michael 99
ISBN: 978-185418084-1
By applying the range of practical management techniques detailed in this

briefing, you can provide the authority and means to empower in a way that substantially reduces the dangers.
Flexible Working
Williams, Audrey 99
ISBN: 978-185418306-4
Recent research shows that far too many individuals, as well as firms, are unaware of flexible working rights. How employers and employees deal with
them is of crucial and increasing importance to both. This briefing clarifies
the law, sets out the rights of employer and employee, and offers valuable practical advice on best practice.
How to Turn your HR Strategy into Reality

Grundy, Tony 99
ISBN: 978-185418183-1
From a diagnosis of HR issues to an analysis of the external and internal future

environment of your company and the effect on your human resources this is
practical information aimed at HR and senior line managers.
Internal Communications
Farrant, James 99
ISBN: 978-185418149-7
There is growing evidence that the organisations that get it right reap dividends
in corporate energy and enhanced performance. In these organisations, internal communications have equal status with the external communications functions. This practical briefing will show you how internal communications, taken
in their widest sense, can improve the performance of organisations.
Mergers and Acquisitions: Confronting the organisation

and people issues
Thomas, Mark 145
ISBN: 978-185418676-8
Why do so many mergers and acquisitions end in tears and reduced shareholder
value? This report will help you to understand the key practical and legal issues,
achieve consensus and involvement at all levels, understand and implement
TUPE regulations and identify the documentation that needs to be drafted or reviewed.
New Ways of Working

Jupp, Stephen 99
ISBN: 978-185418169-5
New ways of working examines the nature of the work done in an organisation
and seeks to optimise the working practices and the whole context in which the
work takes place. It is more about promoting the best ways of doing things than
simple cost driven change. Although it emphasises the importance of business
and organisation, it spans the concerns of people, property, technology, community and environment.
Power Over Stress at Work

Araoz, Daniel 99
ISBN: 978-185418176-3
The HR manager can learn how to deal creatively with stress from the information in this briefing and pass on their knowledge down the ranks. He or she will
then halt the downward spiral of diffusing stress and produce a more positive
knock-on effect namely to increase the productivity of the entire workforce and
reduce absenteeism resulting from this terrible illness.
Reviewing and Changing Contracts of Employment

Phillips, Annelise; Player, Thomas & Rome, Paula 99
ISBN: 978-185418296-8
The Employment Act 2002 has raised the stakes. Imperfect understanding of
the law and poor drafting will now be very costly. This briefing will:
Ensure that you have a total grip on what should be in a contract and what
should not
Explain step by step how to achieve changes in the contract of employment
without causing problems
Enable you to protect clients sensitive business information
Enhance your understanding of potential conflict areas and your ability to
manage disputes effectively.
Trade Secrets of Using e-Learning in Training

Bray, Tony 99
ISBN: 978-185418326-2
Definitely not for techies, this briefing is practical and jargon-free giving you
step-by-step skills and processes to enable you to design effective e-learning
products with confidence.
Transforming HR
Hunter, Ian and Saunders, Jane 99
ISBN: 978-185418361-3
The blue-print for the future of HR how to deliver proven value to your Board,
business and colleagues. The briefing is based on interviews with 60 HR leaders from across industry and public and not for profit sectors. The briefing covers HR outsourcing and shared services.
MARKETING, PR AND SALES

Corporate Community Investment
Genasi, Chris 99
ISBN: 978-185418192-3
Supporting good causes is big business and good business. Corporate community investment (CCI) is the general term for companies support of good
causes, and is a very fast growing area of PR and marketing.
Defending your Reputation

Taylor, Simon 99
ISBN: 978-185418251-7
Buildings can be rebuilt, IT systems replaced, people can be recruited, but a reputation lost can never be regainedThe media will publish a story you may as
well ensure it is your story Simon Taylor. News is whatever someone, somewhere, does not want published William Randolph Hearst When a major crisis
does suddenly break, how ready will you be to defend your reputation?
Implementing an Integrated Marketing Communications Strategy

Hart, Norman 99
ISBN: 978-185418120-6
Get ahead and stay ahead of your competition through better integration of
your marketing communications. Norman Hart was an international consultant, lecturer and author on marketing, advertising and public relations. His
books included The CIM Marketing Dictionary, Strategic Public Relations, The
Practice of Advertising and Industrial Marketing Communications.
Insights into Understanding the Financial Media: An insiders view

Scott, Simon 99
ISBN: 978-185418083-4
This practical report will help you understand the way the financial print and
broadcast media works in the UK. It will also provide you with techniques and
guidelines on how to communicate with the financial media in the most effective way, to help you achieve accurate and positive coverage of your organisation and its operations.
Lobbying and the Media: Working with politicians and journalists

Burrell, Michael 99
ISBN: 978-185418240-1
Lobbying is an art form rather than a science, so there is inevitably an element

of judgement in what line to take. The best lobbying is always based on accurate, up-to-date information and on a well-argued case, founded on credible evidence, and delivered to the right audiences in the right tone of voice at the right
time. Sounds simple, but it isnt. This expert briefing explains the knowledge and
techniques required.
Managing Corporate Reputation: The new currency

Dalton, John & Croft, Susan 99
ISBN: 978-185418272-2
ENRON, WORLDCOM who next? At a time when trust in corporations has

plummeted to new depths, knowing how to manage corporate reputation
professionally and effectively has never been more crucial. This briefing shows
you how to:
Develop PR, brands and relationship management as the vanguards of your
corporate reputation
Strengthen your internal as well as external communications
Improve the effective management of your stakeholders
Practical Techniques for Effective Lobbying

Miller, Charles 99
ISBN: 978-185418089-6
Understanding the system and the process in which it works is essential to lobbying effectively. Uncoordinated, uncontrolled and badly planned approaches
will do more harm than good, and risk antagonising the people you most want
to influence. This briefing provides the techniques required for effective lobbying.
Public Affairs Techniques for Business

Wynne-Davies, Peter 99
ISBN: 978-185418175-6
This briefing shows in practical terms how you can counter potential threats
through a professionally structured and implemented public affairs campaign.
Todays successful companies recognise that in order to survive and prosper a
comprehensive and disciplined approach to public affairs is no longer just a useful asset, it is now a necessity.
Selling Skills for Professionals

Tasso, Kim 99
ISBN: 978-185418179-4
Many professionals still feel awkward about really selling their professional
services. They are not usually trained in selling. This is a much-needed briefing
which addresses the unique concerns of professionals who wish to sell their
services successfully and to feel comfortable doing so.
Strategic Customer Planning

Melkman, Alan 95
ISBN: 978-185418388-0
This is very much a how to briefing. After reading those parts that are relevant to your business, you will be able to compile a powerful customer plan that
will work within your particular organisation for you. Charts, checklists and
diagrams throughout.
Strategic Planning in Public Relations

Knights, Kieran 145
ISBN: 978-185418225-8
Tips and techniques to aid you in a new approach to campaign planning. Strategic planning is a fresh approach to PR. An approach that is fact-based and scientific, clearly presenting the arguments for a campaign proposal backed with
evidence. This briefing provides valuable tips and techniques to improve your
PR and campaign planning.
Successful Competitive Tendering

Woodhams, Jeff 99
ISBN: 978-185418235-7
To win business, you must make a convincing case. This briefing will help you
become more skillful, and more successful in your tendering.
Techniques for Ensuring PR Coverage in the Regional Media:

An insiders view
Imeson, Mike 99
ISBN: 978-185418019-3
This in-depth briefing will give you the tools and techniques you need to enjoy the opportunities offered by the regional and local media. It offers you practical guidance and advice on how to apply them with maximum effect for your
next PR campaign.
Order Form
FIVE WAYS TO ORDER
1 Tel: +44 (0)1235 465 500
2 Fax: +44 (0)1235 465 556
3 Email: direct.orders@marston.co.uk
4 Web: www.thorogoodpublishing.co.uk
5 Post: Marston Book Services, 10-12 Rivington Street, London EC2A 3DU
Title
ISBN
Price
Authors
Commercial Contracts: Legal principles and drafting
978-185418702-4
145
Burnett, Rachel
Commercial Litigation: Damages and other remedies

for breach of contract
978-185418397-2
145
Ribeiro, Robert
Corporate Governance
978-185418354-5
99
Martin, David
Email: Legal issues
978-185418256-0
145
Singleton, Susan
Freedom of Information Act
978-185418347-7
145
Singleton, Susan
International Commercial Agreements
978-185418286-9
99
Attree, Rebecca
Insights into Successfully Managing the In-house

Legal Function
978-185418174-9
95
OMeara, Barry
978-185418692-8
145
Bond, Robert
Achieving Business Excellence, Quality and

Performance Improvement
978-185418018-6
99
Chapman, Colin
& Hopper, Dennis
The Commercial Exploitation of Intellectual Property

Rights by Licensing
978-185418285-4
99
DesForges,
Charles
Intellectual Property Protection and Enforcement
978-185418054-4
99
Brazell, Lorna
Waste Management: The changing legislative climate
978-185418367-5
69
Hand, Caroline
Websites and the Law
978-185418331-6
99
Singleton, Susan
A Practical Guide to Knowledge Management
978-185418230-2
99
Brelade, Sue &

Harman, Chris
Analyse your Business A performance health check
978-185418170-1
99
OConnor, Carol
Tendering & Negotiating MoD Contracts
978-185418276-0
99
Boyce, Tim
Understanding SMART Procurement in the MOD
978-185418164-0
99
Boyce, Tim
Qty
Title
ISBN
Price
Authors
IT Governance
978-185418745-1
99
Norfolk, David
Practical Techniques for Effective Project

Investment Appraisal
978-185418099-5
99
Tiffin, Ralph
Project Risk Management: The commercial dimension
978-185418257-9
99
Boyce, Tim
Strategy Implementation Through Project Management
978-185418250-0
99
Grundy, Tony
Surviving a Corporate Crisis: 100 things you need

to know
978-185418208-1
90
Batchelor, Paul
Technical Aspects of Business Leases: Overcoming the

practical difficulties
978-185418194-7
99
Dowden,
Malcolm
Tax Planning for Businesses and their Owners
978-185418334-7
145
Hughes, Peter
Trade Secrets of Business Disposals
978-185418321-7
145
Pearson, Barrie
Trade Secrets of Business Acquisitions
978-185418366-8
145
Pearson, Barrie
VAT Liability and the Implications of Commercial

Property Transactions
978-185418747-5
145
Buss, Tim
Data Protection Law for Employers
978-185418283-8
145
Singleton, Susan
Discrimination Law and Employment Issues
978-185418339-2
145
Martin, David
Effective Recruitment: A practical guide to staying

within the law
978-185418683-6
145
Leighton, Patricia
& Proctor, Giles
Employee Sickness and Fitness for Work: Successfully

dealing with the legal system
978-185418281-4
99
Howard, Gillian
Employment Law Aspects of Mergers and Acquisitions:

A practical guide
978-185418363-7
99
Ryley, Michael
Navigating Health and Safety Law: Ensuring compliance

and minimising risk
978-185418353-8
99
Pope, Chris
Successfully Defending Employment Tribunal Cases
978-185418267-8
99
Hunt, Dennis
Applying the Employment Act 2002: Crucial developments

for employers and employees
978-185418253-1
99
Williams, Audrey
Dismissal and Grievance Procedures
978-185418376-7
99
Hunt, Dennis
Enabling Beyond Empowerment
978-185418084-1
99
Williams, Michael
Flexible Working
978-185418306-4
99
Williams, Audrey
How to Turn your HR Strategy into Reality
978-185418183-1
99
Grundy, Tony
Internal Communications
978-185418149-7
99
Farrant, James
Mergers and Acquisitions: Confronting the organisation

and people issues
978-185418676-8
145
Thomas, Mark
New Ways of Working
978-185418169-5
99
Jupp, Stephen
Power Over Stress at Work
978-185418176-3
99
Araoz, Daniel
Reviewing and Changing Contracts of Employment
978-185418296-8
99
Phillips, Annelise;
Player, Thomas &
Rome, Paula
Trade Secrets of Using e-Learning in Training
978-185418326-2
99
Bray, Tony
Transforming HR
978-185418361-3
99
Hunter, Ian and

Saunders, Jane
Corporate Community Investment
978-185418192-3
99
Genasi, Chris
Defending your Reputation
978-185418251-7
99
Taylor, Simon
Implementing an Integrated Marketing Communications

Strategy
978-185418120-6
99
Hart, Norman
Qty
Title
ISBN
Price
Authors
Insights into Understanding the Financial Media:

An insiders view
978-185418083-4
99
Scott, Simon
Lobbying and the Media: Working with politicians

and journalists
978-185418240-1
99
Burrell, Michael
Managing Corporate Reputation: The new currency
978-185418272-2
99
Dalton, John &

Croft, Susan
Practical Techniques for Effective Lobbying
978-185418089-6
99
Miller, Charles
Public Affairs Techniques for Business
978-185418175-6
99
Wynne-Davies,
Peter
Selling Skills for Professionals
978-185418179-4
99
Tasso, Kim
Strategic Customer Planning
978-185418388-0
99
Melkman, Alan
Strategic Planning in Public Relations
978-185418225-8
145
Knights, Kieran
Successful Competitive Tendering
978-185418235-7
99
Woodhams, Jeff
Techniques for Ensuring PR Coverage in the Regional

Media: An insiders view
978-185418019-3
99
Imeson, Mike
Qty
YOUR DETAILS
Please note that payment is required before briefings are dispatched. If paying by credit card, the address given below
must be that of the cardholder.
Please use BLOCK capitals.
Name____________________________________________________________________________________
Position __________________________________________________________________________________
Company _________________________________________________________________________________
Address _________________________________________________________________________________
________________________________________________________________________________________
____________________________________________________________ Postcode____________________
Country __________________________________________________________________________________
Tel _____________________________________________________________________________________
Fax _____________________________________________________________________________________
Email ___________________________________________________________________________________
PAYMENT DETAILS
I enclose a cheque for _______________ made payable to MARSTON BOOK SERVICES
Please invoice me
Please charge my credit card
Mastercard
Visa
Barclaycard
American Express
Switch
Connect
Card no. _____________________________________ Expiry date ___________________________________

Valid from ____________________________________ Issue number _________________________________
Cardholders signature _______________________________________________________________________
I have paid by bank transfer [BACS]: Barclays Bank, sort code 20-65-18, account _________________________
POSTAGE AND PACKAGING

UK: Postage and packaging is FREE OVERSEAS: 10 for the first copy and 5 for each additional copy
Please quote reference: Briefing when purchasing

A Thorogood Special Briefing IT Governance

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

A Thorogood Special Briefing IT Governance

Caricato da

Copyright:

Formati disponibili

A Thorogood Special Briefing

Inside front cover