Copyright 2007 ISACA. All rights reserved. www.isaca.org.

The Many Faces of IT Governance:

Crafting an IT Governance Architecture
By Nick Robinson, CISA
nformation technology (IT) governance is moving more and more into the limelight as a means to improve IT performance, deliver optimum business value and ensure regulatory compliance. The key practices in support of these goals are strategic alignment, IT asset and resource management, IT investment and portfolio management, risk management and sustained operational excellence. Interest has evolved from a compelling argument into a focus on pragmatics: what approach and leading practice framework(s) should be used and how should IT governance be tailored to meet the needs of an organization? As is true with many initiatives, misdirected enthusiasm during the early stages of an IT governance implementation project can easily lead to the proverbial ready, fire, aim scenario. While such enthusiasm may spur an organization to select a specific framework, e.g., Control Objectives for Information and related Technology (COBIT), Val ITTM, ITIL, ISO 17799, ISO 27001, CMM, an early focus on a specific platform is premature and deflects from approaching IT governance in a more holistic manner. Establishing an IT governance program can be characterized as a blend of systematic process analysis coupled with aspects of behavioral science. Unlike projects of limited scale or those localized to a specific business function, IT governance permeates the organization at all levels of management and across functional boundaries. Every organization has a unique personality that reflects the companys cultural ecosystem and operating style. For this reason, implementing IT governance does not follow a one-size-fits-all mold. For IT governance to be effective, it needs to reflect the prevailing culture and be interwoven into the operational fabric of the organization.

Figure 1The IT Governance Model

The IT Governance Reference Model

A generally accepted definition of IT governance is to encourage desirable behavior in the use of information and technology. IT governance encompasses the decision framework, rights, responsibilities and accountability to ensure desired behavior in support of the organizations business goals. Behavior constitutes both decision and actionnot just making a decision, but taking action on it. IT governance comprises a set of formal and informal rules and practices that determine how empowerment is exercised, how IT decisions are made and how IT decision makers are held accountable for serving the corporate interest. The core tenets of IT governance can be abstracted into a multistrata reference model (figure 1). The layers of the model split broadly into: Internal environmentIt is essential to establish a cultural and operating climate that is conducive to, and promotes, effective IT governance. Culture consists of exhibiting

leadership and is represented in value statements, mission statements and guiding principles. Value statements are the core beliefs and philosophies that shape the organizations vision and mission. Guiding principles are durable statements that encapsulate the role IT will play and how decisions will be driven in both the business and IT organizations, and at each abstraction level of the enterprise, i.e., strategic, tactical or operational. Guiding principles are enacted by controls in the form of policies, standards and procedures. Entrustment frameworkCentral to IT governance is the notion of accountability and authority. An accountability framework ensures clarity of, and accountability for, desired outcomes and should be defined with clear assignment of roles and responsibilities. Decision authorities are individuals or bodies, e.g., committees, boards, that are empowered to make and ratify decisions regarding the use of IT. The framework should also include organizational structures, constructs and functional interrelationships. Decision model and frameworkA common decision framework enables prudent, sound and informed decision making. It involves the clear assignment of decision rights and defines sequences of actions and decision paths in the decision processes. The goal should be to make decisions based on a more manageable set of possibilities by eliminating choices that are in conflict or inconsistent with the guiding principles and policies. A decision-making model helps ensure that IT decisions are coherent and consistent with the corporate direction and aligned with the overall business strategies. Decision factors need to be defined that weigh the importance of trade-off decisions. These factors might include cost-benefit analysis, risk identification, scope definition, financial impact, time to delivery, and efficiency and effectiveness of delivery. The design of the model should be geared to the number and type of decisions that need to be rendered.
1

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2007

 Value realization and delivery frameworkValue realization has two dimensions, demand management and supply management. Demand management includes the activities involved with generating demand for the products and services offered by the organization. This translates to the need to ensure business and IT strategy alignment, effective portfolio management and prudent investment management. Supply management consists of the activities that are directly involved with provisioning and supplying the products and services offered by the organization. The IT Governance Institute (ITGI) has distilled value demand and delivery into five core disciplines. These focus areas, as depicted in figure 2, are create value (through strategic alignment), deliver value, risk management, resource management and performance measurement. Figure 2IT Governance Focus Areas

will vary from company to company. In spite of the obstacles, gaining an understanding of three influencing factors will provide reasonable assurance that the deployed IT governance practices and processes are aligned with the cultural and operational nuances of the company. Three primary influencing factors within an organizations business profile are: 1. The business modelArticulates how the organization will create and sustain value for its customer(s) 2. The operational modeDefines the role IT performs in providing value to the business 3. The personality profileThe manner in which a company characterizes itself. It is the companys identity and unique characteristics. Another important consideration when customizing IT governance is the change driver. This is the catalyst, event or business proposition that provides the impetus to focus on IT governance. Change drivers surface in many forms but are typically rooted in three themes: the need for operational excellence, risk management and regulatory compliance. The desire to achieve operational excellence is driven by the goal of deriving optimal business value from IT assets by emphasizing efficiency and effectiveness. For example, value can be realized by pursuing a shared services strategy, by defining a service-oriented architecture (SOA) or by establishing enterprise technical architecture. By contrast, if the drivers source is risk management or regulatory compliance, it is typically a response to external requirements such as the introduction of a new law or regulatory mandate.

Affinity With the Business Model

It is imperative to identify what constitutes IT value within a business context. In their book The Discipline of Market Leaders,1 Michael Treacy and Fred Wiersema introduced a conceptual model as a means for companies to attain and sustain market leadership. Furthermore the term value discipline was defined as a means to differentiate the forms of derived business value. Value disciplines encapsulate the business orientation of the company and are instrumental in shaping its business model. The three categories of value discipline are: Product (or service) leadershipCharacterized by continuous product innovation and rapid commercialization Operational excellenceCharacterized by an emphasis on efficiency and reliability. Organizations that focus in this discipline typically lead the industry in price and convenience. Customer intimacyFocus on cultivation of relationships, customer service and responsiveness By virtue that business strategies serve as the foundation of an organizations business model, the value discipline will have a significant effect when tailoring an IT governance architecture. Value disciplines encapsulate the business model of the company and are underpinned by value drivers. As defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a value driver is a measure of the strategies, processes, activities, or assets that create value and whether they are being utilized in a manner that creates sustainable value. Value drivers articulate the relative importance of strategic goals in support of the companys business model. Examples include time to market, return on investment, operational

Value managementThis aspect of IT governance is concerned with the delivery of business value from IT investments. The objective of value management is to ensure that organizations maximize value by optimizing the benefits of investments throughout their economic life cycle within defined risk tolerance thresholds. IT value management involves the continuous awareness of value for the organization, establishing measures or estimates of value, monitoring and controlling them. To help ensure that IT decision-making results in optimal value to the business, a value framework is required to objectively assess the relative business value of alternative IT investment planning decisions. There are various ways this can be achieved such as mapping business key performance indicators (KPIs) to IT KPIs and developing an appropriate set of balanced scorecards (BSCs) that link business and IT KPIs or by adopting the a comprehensive framework such as ITGIs Val IT.

Tailoring the Style of IT Governance to Mesh With the Corporate Environment

The implementation of IT governance, even when the leading practice frameworks are adopted, is typically challenging given its somewhat amorphous form. The unique nature of every organization means that cultivating an environment conducive to desirable behavior in the use of IT
2

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2007

effectiveness and efficiency, agility, advocacy level in the use of emerging technologies, and other key factors. Collectively, the composition of the value drivers serves as a major influence on the companys operational style and mode.

Subsequently, it helps address the dilemma of how to implement an IT governance program. This is particularly relevant in the layers of the model that address cultivating behavior, decision making and taking action (figure 3). Figure 3Customized IT Governance Architecture

Operational Mode and the Role of IT

The operational mode is the relationship, importance and role of IT in deriving business value. The role has two dimensions that correlate with the demand and supply management elements of the IT governance reference model. The first dimension (demand management) is ITs role in contributing to the strategic goals of the enterprise. The other dimension (supply management) is the role that the business expects the IT organization and management to play to most effectively support the business. The relative importance of these two dimensions is directly driven by the business model of the organization. The operational mode needs to reflect whether the company is a high-growth, risk-taking market leader to one that is a riskaverse, mature-growth market follower. This will drive multiple operational factors including the complexity of the infrastructure, adoption of emerging technologies and agility level of the IT organization to meet changing business needs. One additional layer of complexity surfaces when the IT organization has to serve different business units or segments, particularly if they have differing definitions and expectations of IT-derived value.

Melding in Leading Practice IT Governance Frameworks

The operational mode together with the change driver are the primary aids when selecting the most appropriate leading practice framework to support the IT governance needs of the organization. With this established, the impacted focus areas can be decomposed into the critical processes. Mapping these processes with the appropriate leading practice framework effectively resolves the quandary of what framework should be used. The change driver provides the additional context to help identify the correct level of emphasis for each of the IT governance focus areas. Each of the leading practice frameworks have relative merits and strengths. They tend to have been designed to serve a specific aspect of IT governance and this shapes the construct and content of the framework. Instances where multiple change drivers exist frequently point to a blend of frameworks that are synthesized together. In summary, while there is no silver bullet solution to IT governance, investing time in understanding the various facets of a companys business model, operating mode and personality will facilitate the crafting of a robust and compatible IT governance architecture and ensure that the program is in harmony with, and is supported by, the corporate culture and operational environment.

Factoring in the Companys Personality Profile

A companys personality represents the cultural DNA that permeates throughout the organization. Culture starts with an understanding of the boards disposition and role it plays in the corporation. It includes the leadership style, management philosophy, behavioral patterns, and established values and norms. Furthermore, communication style and protocols for socialization and institutionalization need to be fully understood. The human element of IT governance cannot be underestimated. Other aspects of the cultural profile include span of control and influence, and the de facto approach to decision making and consensus building. It is important to consider the level of independence and autonomy afforded to each business unit or segment. For example, IT may be dispersed autonomously across the lines of business or consolidated into a centralized IT model.

Tailoring the IT Governance Reference Model Into an Architecture

It is vital that the style of governance be shaped by an organizations business profileits personality, operating mode and business model. To satisfy this need, a generic IT governance reference model can be transformed into a customized IT governance architecture by using the business profile to craft and shape the components. Collectively, the three aspects of the business profile anchor the initiative, facilitate the choice of leading practice framework(s), and provide the road map to establish prudent and sound IT governance. Becoming fully apprised of the companys personality profile becomes a necessity that will ultimately dictate how IT governance is perceived and adopted. More importantly, it determines how well it will be synthesized into the organization.

Endnotes
1

Treacy, Michael; Fred Wiersema; The Discipline of Market Leaders, Perseus Books, USA, 1995

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2007

Nick Robinson, CISA is with Ernst & Youngs Technology and Security Risk Services practice. He has more than 20 years of information technology experience, including IT and operational risk management, and enterprise technical architecture. He currently provides advisory services to Fortune 500 companies in the areas of IT and security governance. Robinson has written articles for a variety of IT governance and compliance publications. He is a member of advisory group for ITGIs Val IT framework and can be contacted at nick.robinson@ey.com.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2007 by ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2007