Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
leadership and is represented in value statements, mission statements and guiding principles. Value statements are the core beliefs and philosophies that shape the organizations vision and mission. Guiding principles are durable statements that encapsulate the role IT will play and how decisions will be driven in both the business and IT organizations, and at each abstraction level of the enterprise, i.e., strategic, tactical or operational. Guiding principles are enacted by controls in the form of policies, standards and procedures. Entrustment frameworkCentral to IT governance is the notion of accountability and authority. An accountability framework ensures clarity of, and accountability for, desired outcomes and should be defined with clear assignment of roles and responsibilities. Decision authorities are individuals or bodies, e.g., committees, boards, that are empowered to make and ratify decisions regarding the use of IT. The framework should also include organizational structures, constructs and functional interrelationships. Decision model and frameworkA common decision framework enables prudent, sound and informed decision making. It involves the clear assignment of decision rights and defines sequences of actions and decision paths in the decision processes. The goal should be to make decisions based on a more manageable set of possibilities by eliminating choices that are in conflict or inconsistent with the guiding principles and policies. A decision-making model helps ensure that IT decisions are coherent and consistent with the corporate direction and aligned with the overall business strategies. Decision factors need to be defined that weigh the importance of trade-off decisions. These factors might include cost-benefit analysis, risk identification, scope definition, financial impact, time to delivery, and efficiency and effectiveness of delivery. The design of the model should be geared to the number and type of decisions that need to be rendered.
1
Value realization and delivery frameworkValue realization has two dimensions, demand management and supply management. Demand management includes the activities involved with generating demand for the products and services offered by the organization. This translates to the need to ensure business and IT strategy alignment, effective portfolio management and prudent investment management. Supply management consists of the activities that are directly involved with provisioning and supplying the products and services offered by the organization. The IT Governance Institute (ITGI) has distilled value demand and delivery into five core disciplines. These focus areas, as depicted in figure 2, are create value (through strategic alignment), deliver value, risk management, resource management and performance measurement. Figure 2IT Governance Focus Areas
will vary from company to company. In spite of the obstacles, gaining an understanding of three influencing factors will provide reasonable assurance that the deployed IT governance practices and processes are aligned with the cultural and operational nuances of the company. Three primary influencing factors within an organizations business profile are: 1. The business modelArticulates how the organization will create and sustain value for its customer(s) 2. The operational modeDefines the role IT performs in providing value to the business 3. The personality profileThe manner in which a company characterizes itself. It is the companys identity and unique characteristics. Another important consideration when customizing IT governance is the change driver. This is the catalyst, event or business proposition that provides the impetus to focus on IT governance. Change drivers surface in many forms but are typically rooted in three themes: the need for operational excellence, risk management and regulatory compliance. The desire to achieve operational excellence is driven by the goal of deriving optimal business value from IT assets by emphasizing efficiency and effectiveness. For example, value can be realized by pursuing a shared services strategy, by defining a service-oriented architecture (SOA) or by establishing enterprise technical architecture. By contrast, if the drivers source is risk management or regulatory compliance, it is typically a response to external requirements such as the introduction of a new law or regulatory mandate.
Value managementThis aspect of IT governance is concerned with the delivery of business value from IT investments. The objective of value management is to ensure that organizations maximize value by optimizing the benefits of investments throughout their economic life cycle within defined risk tolerance thresholds. IT value management involves the continuous awareness of value for the organization, establishing measures or estimates of value, monitoring and controlling them. To help ensure that IT decision-making results in optimal value to the business, a value framework is required to objectively assess the relative business value of alternative IT investment planning decisions. There are various ways this can be achieved such as mapping business key performance indicators (KPIs) to IT KPIs and developing an appropriate set of balanced scorecards (BSCs) that link business and IT KPIs or by adopting the a comprehensive framework such as ITGIs Val IT.
effectiveness and efficiency, agility, advocacy level in the use of emerging technologies, and other key factors. Collectively, the composition of the value drivers serves as a major influence on the companys operational style and mode.
Subsequently, it helps address the dilemma of how to implement an IT governance program. This is particularly relevant in the layers of the model that address cultivating behavior, decision making and taking action (figure 3). Figure 3Customized IT Governance Architecture
Endnotes
1
Treacy, Michael; Fred Wiersema; The Discipline of Market Leaders, Perseus Books, USA, 1995
Nick Robinson, CISA is with Ernst & Youngs Technology and Security Risk Services practice. He has more than 20 years of information technology experience, including IT and operational risk management, and enterprise technical architecture. He currently provides advisory services to Fortune 500 companies in the areas of IT and security governance. Robinson has written articles for a variety of IT governance and compliance publications. He is a member of advisory group for ITGIs Val IT framework and can be contacted at nick.robinson@ey.com.
Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2007 by ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org