Executive Guide to IT Governance

share
Submitted by A-G Magazine on Thu, 2008-08-14 09:01

A Spyglass, A Compass and a Good Map - The Executive Guide to IT Governance. Today's CIO is sailing in uncharted waters. Never before in the history of the information age have technology complexity, time to market, and business responsiveness come together so swiftly to form the CIO agenda. The CIO is facing a perfect storm and needs the right tools to not only sail his ship to a safe port but to win the race and return loaded with the treasure the enterprise seeks.

Charting the right course over heavy chop and through a hard-blowing gale requires a set of tools that provides the best possible information to the captain at the time critical decisions are being made. Last week's climate report is of no use when the weather turns for the worse. However, telltails on the mainsail and a man up in the rigging can alert the captain to unanticipated shifts in the wind. Down below, an up-to-date nautical map is critical for plotting success while above board, a compass and a spyglass are essential for navigation in challenging seas.

Like all good captains, the CIO knows that he is trying to solve an intractable problem. Sailing requires an understanding and appreciation for the sea, the wind, and the ship. IT success requires a likeminded understanding and appreciation for the organization's strategy, costs, and risks, and most importantly, how these factors relate to each other to form the ebb and flow of IT action.

And so, no matter if you are discovering The New World or at the helm of a Fortune 500 IT organization, you will require three key tools for success: a spyglass, a compass, and a good map.

The Evolution of Technology Complexity

Before the days of on-demand computing, Sarbanes- Oxley compliance, and the balanced scorecard, the CIO agenda was controllable. Technology was a “nice to have,” not a core capability. IT initiatives progressed at a manageable rate measured by months and years. Recovery was strictly an IT issue and, like compliance, rarely related to the business.

But over the last 10 years, ever growing business expectations and hyper-competitiveness have driven massive IT investment and associated complexity. Today, the enterprise technology environment touches every process, product, employee and customer and is viewed by the CEO and lines of business executives as a critical lever for corporate success.

Consequently, the CIO - as helmsman for enterprise achievement - must align the right people, mechanisms, and information to guide technology decisions that are completely in sync with corporate goals and mandates. According to Val Sribar of Meta Group, “visibility into both the business and technology architectures is critical for growing and managing the enterprise.”

The Spyglass: IT Visibility Takes Long-Sighted Vision

Invented by the Dutch, the spyglass was first brought to prominence by Galileo in the early 1600's. As a nautical instrument, it rose to prominence as the tool to pick friend from foe on the high seas, as well as to spot whales and other bounty. Magnifying devices have been central to maritime strategy since their invention, primarily because they gave the captain the ability to “see the future”. Whether it was an approaching galleon or a hidden reef, the spyglass revolutionized the captain's access to relevant, timely information and drove nautical decision making for nearly 400 years.

Today, the spyglass stands as a metaphor for “visibility” into the business and technology architectures of the enterprise. Below decks of the modern enterprise is a federation of interrelated information domains. Enterprise goals, initiatives, functions, and processes represent the business architecture, while IT services, applications, hardware, networks, and data symbolize the IT architecture. These elements weave a web of relationships so dense that it is typically impossible to view them in their entirety.

And yet, only by having such visibility can the CIO truly set strategy and manage architecture. Accordingly, many IT organizations have begun to invest in, and appreciate, the power of enterprise visibility capabilities. Initiatives such as Business Architecture Management (BAM), Enterprise Architecture (EA), and IT Configuration Management have been chartered in the last few years solely in the name of obtaining such visibility.

Val Sribar from Meta Group states, “a key aspect of successful IT Governance is the development of an information foundation upon which critical asset, financial, and compliance decisions can be confidently made.” Further, according to Meta Group research, “By 2006, 20% of Global 2000 organizations will integrate holistic enterprise architecture, enterprise program management, enterprise strategy/planning, and IT portfolio management into a common set of IT management processes under the auspices of the CIO's office.” In order to fulfill this integrated strategy - under the IT Governance mantra, key prerequisites need to be put in place today to operationalize EA activities. The CIO must ensure that EA and BAM activities address the following concerns:

  • What does the “as-is” environment really look like?
  • What is the impact of specific changes on the IT environment and related business processes?
  • What is the progress of our EA initiatives?
  • What are the interdependencies among technology assets, business processes, and people?
  • Will planned changes to the technology environment support our business priorities?

These capabilities sync nicely with one of the overarching CIO buzzwords - Alignment. The alignment of IT to business strategy is receiving due attention from the enterprise of today. According to Gartner, “architecture is the bridge between business and technology. It is the translation mechanism by which business needs are translated into technology solutions. Yet most enterprise architecture efforts fail because of a lack of acceptance by the business community. A top-down, business-driven approach is key to ensuring acknowledged and valuable alignment of technology with the business.”

And so a spyglass becomes both a necessary and risky tool in the hands of the CIO. Necessary - for without enterprise visibility, the IT organization will fail to be able to respond to alignment goals. Yet risky - for without the ability to share such insight with business benefactors, the CIO's views on the future of the enterprise may be cast aside, or as Galileo found out, even condemned.

The Compass: Guiding the Enterprise Through an Ocean of Regulations

If there is one thing a ship's captain can count on, it is that his compass always points north. The compass is a certainty by which he can navigate the ship. It stands for the laws that must be followed. Similarly, the CIO faces certain “laws” that govern how IT must be operated. These laws are known as regulations and standards. Like sailing rules, the CIO must ensure that his organization conforms and enforces relevant requirements.

Requirements conformance can be broken into two distinct areas: regulatory requirements and internal standards. Today, companies are being battered by increased regulatory oversight. Regulations from Sarbanes-Oxley (SOX) to Basel II to HIPAA to GLB to CAN-SPAM are driving transparency to the complex relationships that exist between stated corporate policies and the actual IT and business environments those policies are intended to govern. Yet, as in the case of Sarbanes-Oxley, recent Meta Group research shows that only 46% of survey respondents indicated that SOX compliance efforts were coordinated and integrated with efforts to meet other regulatory requirements. Although it is still early for firms to consolidate global compliance management, by 2006 this will change as firms establish and consolidate internal and external compliance initiatives into corporate governance offices. Similar metrics exist for other regulations as well, indicating the challenges faced with achieving regulatory compliance irrespective of the regulation or mandate.

Regulatory compliance has, according to Gartner, significant implications for enterprise IT organizations from the CIO down. CIOs will need to take a strategic view of risk management, aligning the business needs of the enterprise with the technologies - reporting, data collation, cleaning, exceptions monitoring and compliance reporting - that support them. The most critical demands of the new regulatory environment will be (a) ensuring the implementation of common definitions and common reporting structures across the enterprise, and (b) the development of overarching information sharing designed to comply with regulatory reporting requirements. This new regulatory-heavy environment dictates that IT organizations have a complete view of their enterprise IT assets and how they work together to serve the business—a goal that is not a simple undertaking. Many organizations have thousands of components in their enterprise IT environment (e.g., applications, servers, infrastructure, business processes). The task of finding and accurately documenting assets is a labor-intensive process that can take months to complete.

Today’s CIO must have the ability to address core capabilities related to policy management and regulatory conformance including:

  • What policies should be implemented to conform to SOX, HIPAA, Information Privacy or other compliance standards?
  • Do our applications map to compliance requirements?
  • What is the current compliance level of our policies?
  • Where are our policy gaps?

Internal standards and policies are as likely as not to originate in the IT organization. Architecture is powerless without conformance and audit capabilities. Being able to enforce standards on technology selection and configuration are a critical aspect of reducing risk and assuring compliance to business requirements.

Like Regulatory requirements, Business Continuity also stands as a critical line of defense between enterprise control and chaos. Despite an increased emphasis on business continuity planning following the September 11th tragedies, most organizations struggle to identify, document, and categorize critical IT assets. The process of capturing and categorizing these assets is typically manual and time-intensive. There is often no way to efficiently map these IT assets to key business priorities. In addition, technology infrastructures change continuously, making it extremely difficult to keep plans up to date. The result is that only 20% of Global 2000 organizations have business continuity plans that ensure a strong likelihood of surviving a disaster without lasting adverse impacts to the enterprise.

The CIO must keep a steady hand on the wheel as he sails the IT organization into new waters. Always knowing his heading, however, will keep him clear of hazards that have sunk lesser mariners.

A Good Map: Providing the Passage to Enterprise Optimization

Maps are one of the most basic (and informative) infographics. The simple map: A rectangle with a few lines, some labels, and an X can impart what it would take hundreds of words to describe. Maps are an abstraction of our world, a representation of space. At their most basic, they tell us where. If tweaked and tuned properly, they can tell us where, how, and even why.

Nautical charts provide the essential guidance a good captain needs to secure his ship safely in port. They suggest the optimal path that a captain might take, and they even point to dangers and opportunities along the way.

While today's CIO might not have the benefit of an “X” Marks The Spot guide to IT optimization, it is critical that he implement best practices to understand and drive out operational costs across the enterprise. Today, IT Governance best practices can be leveraged by the CIO for the main areas for operational success. These areas include IT Financial Management and Business Service Management.

CIO's and IT financial executives today face the challenge of how to apply financial and cost management best practices to IT - to effectively run IT 'like a business.' Progressive IT leaders know that best practices can create tremendous business value, leading to better investment decisions, lower operating costs, and lower negotiated vendor and outsourcer prices. In fact, research has shown that organizations could reduce their IT budgets by up to 20% annually through more effective IT financial management.

IT financial leaders require complete, current, and accurate visibility into the links between cost and usage relationships of IT assets and their business drivers. The goal is to match every dollar spent with the utilization of every resource allocated to a given project. This goal has been elusive because current asset management and financial reporting solutions do not provide sufficient visibility into these relationships. Manual processes such as spreadsheet modeling cannot accommodate the dynamic complexity of large, enterprise IT environments. To successfully navigate the financial challenges of IT, the CIO must ensure the following capabilities are part of their IT Governance activities:

  • Do we understand the true cross-resource TCO of all our IT assets?
  • How do we identify how business activities drive IT costs?
  • Can we effectively implement IT cost charge-back systems based on business activity?
  • How do we align budget and forecasting processes around a common view of current and expected IT costs?
  • How do we benchmark and analyze IT costs across Lines of Business (LOB)?

With ever-tightening budgets, evolving technologies, and a highly competitive landscape, CIOs must focus on the prioritized needs of the business while keeping service quality high and costs at a minimum. The value derived from IT today is based on the assurance that business performance improves continuously, is measurable, and can be delivered at acceptable levels. Consequently, many IT organizations are adopting a service management approach to delivering IT functionality. Whether this involves insourced or outsourced functionality, the CIO must leverage IT Governance capabilities to assure the challenges can be addressed:

  • What elements across the IT environment have a relationship with business services?
  • Are our services and service levels in line with the needs of the business?
  • Are we meeting our service level requirements?
  • Which business processes are affected by changes in service levels?
  • How can we optimize our service levels and resource utilization to provide better service?

Surviving the Perfect Storm: The Safe Harbor of IT Governance

Larry Ellison, CEO of Oracle Corporation and noted America's Cup Yacht racer, faced his own perfect storm. “I never meant to risk my life in the Sydney-to-Hobart [yacht race, during which six men drowned and five yachts sank in 1998. Ellison's team won the race.] I didn't know there was going to be a hurricane. Had I known, I wouldn't have gone. I just found myself stuck there, and there was no magic button to get me off the boat.”

Today, the perfect storm of technology: complexity, time to market, and business responsiveness is upon us. But the CIO as Captain need not go down with the ship. Rather, the safe harbor of IT Governance can be reached. By implementing IT Governance mechanisms and leveraging best practices, the storm can be survived, and the race can be won. Today there are IT Governance solutions available that enable high- performing IT organizations to provide every person in IT with the information, policies, and analytics that they need to be effective in the processes they support. These solutions will break down the existing IT silos and enable organizations to manage IT services efficiently while they deliver maximum value to the business.

The Riches of Successful IT Governance

Just as dominance on the high seas brings victory and wealth to captain and country, so to does successful IT Governance bring measurable wealth to the enterprise. Based on industry analysis, for a typical Fortune 500 company with $9 billion in revenue, a comprehensive IT Governance initiative can drive as much as $50 million to bottom line savings. These savings come from utilizing the spyglass, the compass, and the map:

  • Alignment of IT and business architectures, which eliminates redundant resources and can yield a 40% reduction in service provisioning time and costs.
  • Compliance with regulatory requirements, which can yield a 50% reduction in the number and severity of downtime incidents.
  • Rationalization of IT resources, which can yield a 20% or greater reduction in infrastructure and application costs.

According to Meta Group's Sribar: "The CIO deals with multiple stakeholders on the business side, each with their own agenda. In order to cascade these business priorities through IT, a governance process and system must be implemented."

And so in the end, neither reef, nor tide, nor black of night can cause a vessel to founder when the captain makes use of his spyglass, compass and map. So too must the CIO secure and utilize IT Governance capabilities and tools - to keep the enterprise even keel, on course, and marking good time.

by Jonas Lamis, Vice President of Product Marketing for Troux Technologies. He frequently writes and speaks on IT Governance and Risk Management issues.

Tags: